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SYSTEM FOR PROVIDING CONTINUITY BETWEEN MESSAGING CLIENTS AND METHOD 
THEREFOR 

SYSTEMS POUR ASSURER LA CONTINUITE ENTRE PLUSIEURS CLIENTS DE MESSAGERIE ET 
PROCEDE CORRESPONDANT 

Patent Applicant /Assignee : 

MOTOROLA INC, 1303 East Algonquin Road, Schaumburg, IL 60196, US, US 
(Residence), US (Nationality) 
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HAYES David J, 7544 Wentworth Drive, Lake Worth, FL 334 67, US, 
MOCK Von Alan, 8114 Rose Marie Circle, Boynton Beach, FL 33437, US, 
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DULANEY Randi L (et al) (agent), 8000 West Sunrise Blvd., Rm 1610, Fort 
Lauderdale, FL 33322, US, 
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Priority Application: US 2001995338 20011127 
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Main International Patent Class: G06F-011/30 

International Patent Class: G06F-012/14; G06F-015/16 ; H04L-009/00 ; 
H04L-009/32 

Publication Language: English 
Filing Language: English 
Fulltext Availability: 

Detailed Description 

Claims 

Fulltext Word Count: 28416 
English Abstract 

A messaging communication system (10) includes a plurality of messaging 
clients (12). A first messaging client (14) establishes a first 
communication connection (16) operating using a plurality of client data 

(25) . The first messaging client (14) transfers the plurality of client 
data (25) to a second messaging client (20) . The second messaging client 

(20) establishes a second communication connection (22) operating using 
the plurality of client data (25) . 

French Abstract 

Un systeme de communication a messagerie (10) comprend plusieurs clients 
de messagerie (12). Un premier client de messagerie (14) etablit une 
premiere connexion de communication (16) fonctionnant avec plusieurs 
elements de donnees client (25) . Ledit premier client de messagerie (14) 
transfere ces plusieurs elements de donnees client (25) a un deuxieme 
client de messagerie (20) . Le deuxieme client de messagerie (20) etablit 
une deuxieme connexion de communication (22) fonctionnant avec plusieurs 
elements de donnees client (25) . 



Legal Status (Type, Date, Text) 

Publication 20030605 Al With international search report. 
...International Patent Class: G06F-015/16 ... 
. . . H04L-009/00 . . . 

, . . H04L-009/32 

Fulltext Availability: 
Detailed Description 

Detailed Description 

data 25 can include any of the client data mentioned herein or an 
equivalent . 

The client version identifier is preferably the name ...which a 
message server is utilized to manage the plurality of messaging sessions 
24, the server identifier 32 identifies the message server . For 
example, the server identifier 32 can be a wireless address, an IP 
(internet protocol) address, or an IP address 33 preferably includes a 
code that is used to authenticate the account user 30 to the 
messaging communication system 10. For example, the authentication key 33 
could be. . . 
? t20/5/7 
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Main International Patent Class: G06F-001/00 

International Patent Class: H04L-029/06 

Publication Language: English 

Filing Language: English 

Fulltext Availability: 



Detailed Description 
Claims 

Fulltext Word Count: 21515 
English Abstract 

A method for enhanced quality of identification in a data communications 
network includes obtaining a user identifier that includes an 
identification server ID and an identification randomized ID . The 
identification server ID identifies an identification server 
peer group. The identification server peer group includes at least 
one server that maintains a mapping between an identification randomized 
ID and a user authentication peer group capable of authenticating 
a user associated with a particular randomized ID, and a mapping 
between the identification randomized ID and user information. The 
method also includes requesting authorization of the user by 
presenting the user identifier to a corresponding identification 
server peer group. Each server in the identification server peer 
group is configured to search for one or more matching entries including 
the randomized ID. 

French Abstract 

L' invention porte sur un procede ameliorant la qualite d ' identification 
dans un reseau de transmission de donnees consistant a obtenir un 
identif icateur d' utilisateur comprenant un ID d* identification de serveur 
et un ID d' identif ication pris au hasard. L'lD d* identif ication de 
serveur identifie un groupe de serveurs prestataires de services 
comportant au moins un serveur contenant: une correspondance entre 1*ID 
d' identif ication pris au hasard et un groupe pair d* identif ication de 
I'utilisateur pouvant authentifier un utilisateur associe a un ID 
d' identif ication pris au hasard particulier, et une correspondance entre 
I'lD d" identification pris au hasard et une information utilisateur. Le 
procede consiste egalement a requerir I'autorisation de 1 'utilisateur en 
presentant 1 ' identif icateur d* utilisateur a un groupe de serveurs pairs 
d* identif ication correspondant . Chacun des serveurs dudit groupe est 
concu pour rechercher une ou plusieurs occurrences correspondantes dont 
I'lD pris au hasard. 

Legal Status (Type, Date, Text) 

Publication 20030508 Al With international search report. 

Examination 20030710 Request for preliminary examination prior to end of 

19th month from priority date 
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VIRTUAL SMART CARD SYSTEM AND METHOD 

SYSTEME A CARTE A PUCE VIRTUELLE ET PROCEDE D 'UTILISATION 

Patent Applicant/Assignee: 

SECURE COMPUTING CORPORATION, 2675 Long Lake Road, Roseville, MN 55113, 
US, US (Residence), US (Nationality) 
Inventor (s) : 

SMITH Lawrence, 3620 Concord Boulevard, Concord, CA 94519, US, 
LEVENBERG Richard, 3346 Helen Lane, Lafayette, CA 94549, US, 

Legal Representative: 
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Patent and Priority Information (Country, Number, Date) : 



Patent: WO 200118635 A2-A3 20010315 (WO 0118635) 

Application: WO 2000US24352 20000901 (PCT/WO US0024352) 

Priority Application: US 99389540 19990903 

(EP) AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE 
Main International Patent Class: G06F-001/00 
International Patent Class: H04L-029/06 
Publication Language: English 
Filing Language: English 
Fulltext Availability: 

Detailed Description 

Claims 

Fulltext Word Count: 4 934 
English Abstract 

A public key authentication system and method for use in a computer 
.system having a plurality of users. The system includes a virtual smart 
card server, storage connected to the virtual smart card server, and a 
virtual smart card agent connected to the virtual smart card server. The 
storage includes a plurality of virtual smart cards, wherein each virtual 
smart card is associated with a user and wherein each smart card includes 
a private key. The virtual smart card agent authenticates the user and 
accesses the authenticated user's virtual smart card to obtain the user's 
private key. 

French Abstract 

L' invention concerne un systeme d' authentif ication a cles publiques et 
son precede d * utilisation dans un systeme informatique comprenant 
plusieurs utilisateurs . Le systeme comprend un serveur a carte a puce 
virtuelle, une memoire connectee au serveur a carte a puce virtuelle, et 
un agent a carte a puce virtuelle connecte au serveur a carte a puce 
virtuelle. La memoire comprend plusieurs cartes a puce virtuelles. Chaque 
carte a puce virtuelle est associee a un utilisateur et comprend une cle 
privee. L' agent a carte a puce virtuelle authentifie 1 'utilisateur et 
accede a la carte a puce virtuelle de 1 'utilisateur authentifie pour 
obtenir la cle privee de 1 'utilisateur . 

Legal Status (Type, Date, Text) 

Publication 20010315 A2 Without international search report and to be 

republished upon receipt of that report. 

Examination 20010614 Request for preliminary examination prior to end of 

19th month from priority date 

Search Rpt 20011213 Late publication of international search report 

Republication 20011213 A3 With international search report. 

Main International Patent Class: G06F-001/00 
International Patent Class: H04L-029/06 

Fulltext Availability: 
Detailed Description 
Claims 

Detailed Description 

includes a plurality of public keys, wherein each public key is 
associated with a unique user identifier . The host system includes 
a public key authentication client and an interface to a 
smart-card-enabled application, wherein the public key authentication 
client is connected to the authentication server. The public key 
authentication client receives a challenge issued by the 
authentication server, signs the challenge with a digital signature... 



Claim 



includes a plurality of public keys, wherein each public key is 
associated with a unique user identifier ; and 
a host system, wherein the host system includes a public key 
1 5 authentication client and an interface to a smart-card-enabled 
application, wherein the public key authentication client is 
connected to the authentication 
server; 

wherein the public key authentication client receives a challenge 
issued 

by the authentication server, signs the challenge with a digital 
signature . . . 
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Secure two-piece user authentication in a computer network 
Gesicherte zweiteilige Benutzer-Authentif izierung in einem Rechnernetz 
Au then tifi cation en deux pieces securisee d'un utilisateur dans un reseau 
d ' ordinateurs 

PATENT ASSIGNEE: 

Compaq Computer Corporation, (687792), 20555 S.H. 249, Houston Texas 
77070, (US), (applicant designated states: 
AT ; BE ; CH ; DE ; DK; ES ; FI ; FR; GB ; GR; IE ; IT ; LI ; LU ; MC ; NL ; PT ; SE ) 
INVENTOR: 

Angelo, Michael F., 14926 Walters Road, Houston, Texas 77068, (US) 
Olarig, Sompong P., 15415 Evergreen Knoll Lane, Cypress, Texas 77429, 
(US) 

LEGAL REPRESENTATIVE: 

Brunner, Michael John et al (28871), GILL JENNINGS & EVERY Broadgate 
House 7 Eldon Street, London EC2M 7LH, (GB) 
PATENT (CC, No, Kind, Date) : EP 851335 A2 980701 (Basic) 

EP 851335 A3 990616 
APPLICATION (CC, No, Date): EP 97310653 971230; 
PRIORITY (CC, No, Date) : US 774809 961231 
DESIGNATED STATES: DE; FR; GB 
INTERNATIONAL PATENT CLASS: G06F-001/00; 

ABSTRACT EP 851335 A2 

A computer system according to the present invention utilizes a 
two-piece authentication procedure to securely provide user 
authentication over a network. In the disclosed embodiment of the 
invention, a user password is entered during a secure power-up procedure. 
The user password is encrypted by an external token or smart card that 
stores an encryption algorithm furnished with an encryption key that is 
unique or of limited production. A network password is thereby created. 
The network password is maintained in a secure memory space such as 
System Management Mode (SMM) memory. When the user desires to access a 
network resource such as a hard drive in a server, the network password 
is encrypted and communicated over the network. In the case of a server 
hard drive, the network password is encrypted using the servers public 
key (or another key that is known to the server ) . Optional node 
lidentif ication information is appended to the network password prior to 
communication over the network. The node identification information can 
be used for a variety of purposes, including limiting access to certain 
pieces of data to specified users on specified machines. Once received by 
the server, the encrypted network password is decrypted using the servers 
public key. A user verification process is then performed on the 
network password to determine which, if any, access privileges have been 
accorded the network user. Numerous other uses for the network password 
are disclosed, and permit the network resources to be securely 
compartmentalized with the option to have multiple user levels. The 
two-piece nature of the authentication process assures that if either the 
user password or the external token is stolen, it is of little value. 
Both pieces are required to access protected resources and uniquely 
lidentif y a user to the network. Further, a network users identity is 
maintained when working on different machines. 

ABSTRACT WORD COUNT: 306 



LEGAL STATUS (Type, Pub Date, Kind, Text): 
Examination: 020918 A2 Date of dispatch of the first examination 

report: 20020731 

Examination: 20000202 A2 Date of request for examination: 19991206 

Application: 980701 A2 Published application (Alwith Search Report 

;A2without Search Report) 
Search Report: 990616 A3 Separate publication of the European or 

International search report 
LANGUAGE ( Publication, Procedural , Application) : English; English; English 
FULLTEXT AVAILABILITY: 

Available Text Language Update Word Count 

CLAIMS A (English) 9827 840 

SPEC A (English) 9827 6236 
Total word count - document A 707 6 

Total word count - document B 0 
Total word count - documents A + B 707 6 



.ABSTRACT system according to the present invention utilizes a two-piece 
authentication procedure to securely provide user authentication over 
a network. In the disclosed embodiment of the invention, a user password 
is entered. . . 



...is encrypted using the servers public key (or another key that is known 
to the server ) . Optional node identification information is appended 
to the network password prior to communication over the network. The node 



...by the server, the encrypted network password is decrypted using the 
servers public key. A user verification process is then performed on 
the network password to determine which, if any, access privileges... 

...it is of little value. Both pieces are required to access protected 
resources and uniquely identify a user to the network. Further, a 
network users identity is maintained when working on different machines. 
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Publication Language: English 
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Detailed Description 
Claims 

Fulltext Word Count: 21515 
English Abstract 

A method for enhanced quality of identification in a data communications 
network includes obtaining a user identifier that includes an 
identification server ID and an identification randomized ID . The 
identification server ID identifies an identification server 
peer group. The identification server peer group includes at least 
one server that maintains a mapping between an identification randomized 
ID and a user authentication peer group capable of authenticating 
a user associated with a particular randomized ID, and a mapping 
between the identification randomized ID and user information. The 
method also includes requesting authorization of the user by 
presenting the user identifier to a corresponding identification 
server peer group. Each server in the identification server peer 
group is configured to search for one or more matching entries including 
the randomized ID. 

French Abstract 

L* invention porte sur un precede ameliorant la qualite d ' identification 
dans un reseau de transmission de donnees consistant a obtenir un 
identif icateur d' utilisateur comprenant un ID d* identification de serveur 
et un ID d' identif ication pris au hasard. L'lD d* identif ication de 
serveur identifie un groupe de serveurs prestataires de services 
comportant au moins un serveur contenant : une correspondance entre I'lD 
d' identification pris au hasard et un groupe pair d* identif ication de 
1 'utilisateur pouvant authentifier un utilisateur associe a un ID 
d' identif ication pris au hasard particulier, et une correspondance entre 
I'lD d' identif ication pris au hasard et une information utilisateur. Le 
precede consiste egalement a requerir 1 ' autorisation de 1 ' utilisateur en 
presentant 1 * identif icateur d*utilisateur a un groupe de serveurs pairs 
d* identif ication correspondant . Chacun des serveurs dudit groupe est 
concu pour rechercher une ou plusieurs occurrences correspondantes dont 
I'lD pris au hasard. 

Legal Status (Type, Date, Text) 

Publication 20030508 Al With international search report. 

Examination 20030710 Request for preliminary examination prior to end of 

19th month from priority date 
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Detailed Description 

Claims 

Fulltext Word Count: 9948 

English Abstract 

A computer system (20) for authenticated access for a client (18) 
over an insecure network (32) to secure a destination server (24) on 
another network, through the use of a client authentication 
certificate (50) . A proxy server (40) intercepts messages destined for 
the destination server (24), and forwards the intercepted messages to a 
gateway (38) on the network (20). The gateway (38) configures a cookie, 
with identifiers (48) sufficient to identify the destination server 
(24), or alternatively, utilizes a user (18) identification and 
password. 

French Abstract 

L* invention concerne un systeme informatique (20) destine a fournir a un 
client (18) d'un reseau (32) non securise un acces authentifie a un 
serveur (24) de destination d'un reseau securise, via 1 ' utilisation d'un 
certificat (50) d ' authentif ication client. A cet effet, un serveur 
mandataire (40) intercepte les messages destines au serveur (24) de 
destination, et transmet les messages interceptes a une passerelle (38) 
du reseau (20) . La passerelle (38) configure un temoin, avec des 
identif icateurs (48) suffisants pour identifier le serveur (24) de 
destination, ou alors elle utilise une identification utilisateur (18) et 
un mot de passe. 
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English Abstract 

A computer system (20) for authenticated access for a client (18) 
over an insecure network (32) to secure a destination server (24) on 
another network, through the use of a client authentication 
certificate (50) . A proxy server (40) intercepts messages destined for 
the destination server (24), and... 

...on the network (20). The gateway (38) configures a cookie, with 

identifiers (48) sufficient to identify the destination server (24), 
or alternatively, utilizes a user (18) identification and password. 
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English Abstract 

A computer system provides authenticated access for a client computer 
(18) over an insecure, public network (26) to one of a plurality of 
destination servers (28) on private, secure network, through the use of a 
client-side X,509 digital certificate. A firewall (32) is disposed 



between the insecure, public network (26) and the private network. A 
demilitarized zone (DMZ) proxy server (34) intercepts messages destined 
for the destination servers (28), and forwards the intercepted messages 
through the firewall (32) to a gateway (38) on the private network. The 
gateway (38) is configured to create a cookie, based on the selection of 
one of several applications (30) available on the private network. The 
cookie contains an identifier sufficient to identify the destination 
server (28) corresponding to the selected application (30) . Messages 
from the client computer include the cookie. The gateway (38) processes 
the cookie and appends the identifier on a destination URL portion of the 
messages for routing. An alternate computer system authenticates a 
user of a remote client computer on the insecure network site (26) of 
the firewall (32) using a user identification and password. 

French Abstract 

La presente invention concerne un systeme informatique qui fournit a un 
ordinateur de client (18), sur un reseau public non securise (26), un 
acces authentifie a un ou plusieurs serveurs de destination (28), sur un 
reseau prive securise, par utilisation d*un certificat numerique X.509 
cote client. Un pare-feu (32) est place entre le reseau public non 
securise (26) et le reseau prive. Un serveur mandataire de zone 
demilitarisee (DMZ) (34) intercepte des messages destines aux serveurs de 
destination (28) et les retransmet, a travers le pare-feu (32), a une 
passerelle (38) sur le reseau prive. Cette passerelle (38) est configuree 
pour creer un temoin, sur la base de la selection d'une de plusieurs 
applications (30), qui sont disponibles sur le reseau prive. Ce temoin 
contient un identif icateur qui permet d' identifier le serveur de 
destination (28) correspondant a 1 * application selectionnee (30). Des 
messages issus de I'ordinateur de client comprennent le temoin. La 
passerelle (38) traite le temoin et ajoute 1 * identif icateur a une partie 
d'adresse URL de destination des messages en vue d*un acheminement . Un 
systeme informatique alterne authentifie un utilisateur d' ordinateur de 
client eloigne, sur le site (26) de reseau non securise du pare-feu (32), 
par utilisation d'une identification et d'un mot de passe d' utilisateur . 

Legal Status (Type, Date, Text) 

Publication 20010621 Al With international search report. 

Examination 20011025 Request for preliminary examination prior to end of 

19th month from priority date 

English Abstract 

A computer system provides authenticated access for a client computer 
(18) over an insecure, public network (26) to one of a plurality of 
destination. . . 

...several applications (30) available on the private network. The cookie 
contains an identifier sufficient to identify the destination server 
(28) corresponding to the selected application (30) . Messages from the 
client computer include the cookie... 

...identifier on a destination URL portion of the messages for routing. An 
alternate computer system authenticates a user of a remote client 
computer on the insecure network site (26) of the firewall (32) using a 
user identification and password. 



38/5, K/36 (Item 36 from file: 349) 

DIALOG (R) File 34 9:PCT FULLTEXT 

(c) 2003 WIPO/Univentio. All rts. reserv. 

00766059 **Image available** 
QUERY INTERFACE TO POLICY SERVER 

INTERFACE D » INTERROGATION VERS SERVEUR DE REGLES 

Patent Applicant/Assignee: 

INTERNET DYNAMICS INC, 3717 E. Thousand Oaks Boulevard, Westlake Village, 
CA 91362, US, US (Residence), US (Nationality), (For all designated 
states except: US) 
Patent Applicant/Inventor: 

HANNEL Clifford Lee, 3178 Futura Point, Thousand Oaks, CA 91362, US, US 
(Residence), US (Nationality), (Designated only for: US ) 

MAY Anthony Allan, 6644 Glade Avenue #217, Woodland Hills, CA 91303, US, 
US (Residence), CA (Nationality), (Designated only for: US ) 
Legal Representative: 

NELSON Gordon E, 57 Central Street, P.O. Box 782, Rowley, MA 01969, US 
Patent and Priority Information (Country, Number, Date) : 

Patent: WO 200079434 Al 20001228 (WO 0079434) 

Application: WO 2000US17078 20000621 (PCT/WO US0017078) 

Priority Application: US 99140417 19990622 
Designated States: AU JP SG US 

(EP) AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL FT SE 
Main International Patent Class: G06F-017/30 
Publication Language: English 
Filing Language: English 
Fulltext Availability: 

Detailed Description 

Claims 

Fulltext Word Count: 54190 
English Abstract 

A scalable access filter that is used together with others like it in a 
virtual private network to control access by users at clients in the 
network to information resources provided by servers in the network. Each 
access filter use a local copy of an access control data base (3845) to 
determine whether an access request is made by a user. Each user belongs 
to one or more user groups and each information ressource belongs to one 
or more information sets. Access is permitted or denied according to 
access policies which define access in terms of the user groups and 
information sets. The first access filter in the path performs the access 
check, encrypts and authenticates the request; the other access filters 
in the path do not repeat the access check. The interface used by 
applications to determine whether a user has access to an entity is now 
an SQL query. The policy server (3811) assembles the information needed 
for the response to the query from various information sources, including 
source external to the policy server. 

French Abstract 

L* invention concerne un filtre d*acces scalaire utilise avec d'autres 

f litres similaires dans un reseau prive virtuel afin de controler I'acces 

des utilisateurs a des clients du reseau pour obtenir des ressources 

d' informations fournies par des serveurs sur le reseau. Chaque filtre 

d'acces utilise une copie locale d'une base de donnees de controle 

d'acces (3845) pour determiner si la demande d'acces est effectuee par un 

utilisateur. Chaque utilisateur appartient a au moins un groupe 

d' utilisateurs et chaque ressource d' informations appartient a au moins 

un ensemble d' informations . L'acces est autorise ou refuse en fonction 

des politiques d'acces qui definissent I'acces en terme des groupes 



d' utilisateurs et des ensembles d' informations . Le premier filtre d*acces 
dans la voie effectue la verification d'acces, decrypts, et authentifie 
la demande, les autres f litres d'acces dans la voie ne repetent pas la 
verification d'acces. L' interface utilisee par les applications pour 
determiner si un utilisateur a acces a une entite est alors une demande 
SQL. Le serveur de regies (3811) assemble les informations requises pour 
la reponse a la demande emanant de plusieurs sources d' informations, y 
compris une source externe audit serveur. 
Legal Status (Type, Date, Text) 

Publication 20001228 Al With international search report. 
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19th month' from priority date 

Fulltext Availability: 
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allow or deny policy. DBUsersTreeFile Describes the user groups tree as a 
flattened array. Maps each 

DB UserGroup ID to a list of UserGrouplDs for parent user 
groups 

DBResourcesFile 23og Describes policy application from. . . 

...flattened array. Maps 

each DB ResourceGroupll) to a list of ResourceGroupiDs for 
parent information sets. 

User Identification Information 20311 
DBIPRangesFile IP Ranges data. Maps from IPRangeDefID to the IP range 
data . . . 

...IP domain data. DBCertif icatesFile Certificate data. Maps from 
Certif icateDef ID to the certificate data. 

DBWindowslDFile Windows ID data. Maps from WindowDefID to the windows 
ID 

data. DBSmartCardlDFile Smart card (authentication token) data. Maps from 



.user groups. Maps from certificate data 
File to UserGrouplDs. 21-0,1 

DBWindowsIDByUserGroup Relates Windows IDs to user groups. Maps 
from Windows ID File data to UserGrouplDs. DBSmartCardlDByUser Relates 
Smart Card ( authentication token ) data to user groups. 
GroupFile Maps from authentication token data to UserGrouplDs 



2301 

Fig. 23A 

MMF File Name. . . 

. . DBResourcesByServerlDFile Relates servers to resources. Maps from 

ServerlDs to 

ResourcelDs for resources held on the server identified 

by the ServerlD . DBResourcesByServicelDFile Relates services to 

resources. Maps from ServicelDs to 

ResourcelDs for resources belonging to the. . . 

..Maps from Servicell) to Resourcell) . DBResourcelDByNameFile Relates the 
IP names (URLs) of resources to resource IDs . 2315 Maps from URL to 
resource ID. DBResourcesByResourcelDFile Relates resources to information 
sets. Maps Resourcell) to 2317 Resource Grouplds . 

Servers , Services, IP Information, and Proxies 2W 
DBServerlDBylPRIe Relates IP addresses to servers. Maps IP addresses... 

..Maps from Servicell) to port number, DBServicelDByServerlDFile Relates 
servers to ports for services. Maps from ServerlD to a list of port 
numbers. DBServicePodToProxyPorlFile Relates service pods to the ports 
for their. . . 

. . options data 
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Access Filter Information 2321 

DBAf tachedNetworksBylPFile Relates network interfaces in the access 
filters to information for the interfaces. Maps from the interface's IP 
address to interface information. DBAf f achedNetworksByServer Relates 
access filters to their network interfaces. Maps from IDFile ServerlD 
for the access filter to interface information. DBRoutingTableFile 
Describes the... 

. .2LQ3 

DBTrustTableFile Implements the SEND table. Maps from TrustDeflD, 

indicating 

232 

a trust level, to AuthenticationlDs for user identification 
techniques and EncryptionlDs for encryption techniques. 
DBCertif icateAuthoritiesFile Relates identifiers for cerfiticate 
authorities to their data. Maps from Certif icateAuthorityll) to 
associated data. DBTrustAuthenticationsFile Relates AuthenticationlDs to 
information about identification 

techniques. Maps from AuthenticationlD to identification 
technique information. DBTrustEncryptionsFile Relates EncryptionlDs to 
information about encryption tech 
niques. Maps from Encryptionll) to... 
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ABSTRACT EP 1124172 A2 

Determining authorization for actions includes defining a plurality of 
groups, defining a plurality of action types and corresponding levels of 
authorization for each of the groups, for at least a subset of the action 
types, defining a plurality of devices on which corresponding actions may 
be performed, wherein at least some of the devices correspond to portions 
of a data storage device, and, for the at least one of the groups, 
determining authorization for a requested action, where if the action 
corresponds to one of the devices, authorization is determined by 
examining the levels of authorization for action types corresponding to 
the at least one group and by examining the plurality of devices 
corresponding to the requested action and where if the action does not 
correspond to one of the devices, authorization is determined by 
examining the levels of authorization for action types corresponding to 
the at least one group. The action types may include system calls to the 
data storage device. The at least one of the devices may include at least 
one disk storage area of the data storage devi ce . The at least one of the 
devices may include communication ports of the data storage device. The 
action types may indicate whether system calls are allowed on the 
communication ports. In response to a requested action being authorized, 
a tag may be returned that may be used in connection with subsequent 
requests that the action be performed. 
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...SPECIFICATION allow restricted access to selected portions of the memory 
based upon a matrix containing an ID for every host system that may 
request access to the memory, an ID for every available memory element, 
and which types of access each host ID is allowed with each memory 
element. The requestor ID number may be created using an existing 
host computer system hardware ID , a user password or a group password 
in a multi-user computer system, a Fibre Channel world wide name, a URL 
in an internet access configuration, a unique random access number 
assigned by the memory system, a default value, or... host computer system 
with a hardware ID of 111AAA2, may have 10 terminals and 50 authorized 
user accounts. If all 50 users are permitted by the host system 
administrator to access every... 
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ABSTRACT EP 1122629 A2 

Controlling access to a data storage device (W, X, Y, Z) includes 
defining a plurality of groups (Q, R, S, T, V) that access the data 
storage device (W, X, Y, Z) , defining a plurality of pools of devices of 
the data storage device (W, X, Y, Z) , and, for at least one of the groups 
(Q, R, S, T, V) , determining access rights with respect to at least one 
of the pools. The pools of devices (W, X, Y, Z) may include communication 
ports and/or memory segments of the storage element. The access rights 
may indicate whether system calls are allowed on the communication ports. 
In some embodiments, restricting access to a data storage device includes 
coupling each of a plurality of host requestor systems to the storage 



element by one of a plurality of ports provided for the storage element 
and selectively determining, for each of the ports, whether system calls 
are allowed, where, for the ports in which system calls are not allowed, 
a system call by the host systems coupled thereto causes the storage 
element to indicate that the system call was not performed. In other 
embodiments, the access to pools of memory resources having a unique ID 
number is restricted to requestors having unique ID numbers in a data 
base that matches allowed requestors and request types to allowed pools 
of memory. 
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.SPECIFICATION allow restricted access to selected portions of the memory 
based upon a matrix containing an ID for every host system that may 
request access to the memory, an ID for every available memory element, 
and which types of access each host ID is allowed with each memory 
element. The requestor ID number may be created using an existing 
host computer system hardware ID , a user password or a group password 
in a multi-user computer system, a Fibre Channel world wide name, a URL 
in an internet access configuration, a unique random access number 
assigned by the memory system, a default value, or... host computer system 
with a hardware ID of 111AAA2, may have 10 terminals and 50 authorized 
user accounts. If all 50 users are permitted by the host system 
administrator to access every. . . 
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English Abstract 

A method for obtaining a service on a data communications network, the 

method includes enrolling with an authority and using the enrollment 
results to obtain a service from a service provider. The enrolling 
creates enrollment results that include user data. The service provider 
is capable of communicating with the authority to verify the enrollment 
results . 

French Abstract 

L' invention concerne un precede permettant d'obtenir un service dans un 
reseau de communication de donnees. Ce precede consiste a proceder a une 
inscription aupres d'une autorite et a utiliser les resultats de 
1 * inscription pour obtenir un service aupres d*un fournisseur de service. 
Cette inscription genere des resultats d' inscription qui comprennent des 
donnees utilisateur. Le fournisseur de services peut communiquer avec 
1* autorite afin de verifier les resultats de 1 ' inscription . 
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Main International Patent Class: H04L-029/00 
Fulltext Availability: 
Detailed Description 

Detailed Description 

identification server ID and an identification randomized ID. The 
identification server ID identifies an identification server peer 
group . The identification server peer group includes at least one 



server that maintains a mapping between an identification randomized 
ID and a user authentication peer group capable of authenticating 
a user associated with a particular randomized ID , and a mapping 
between the identification randomized ID and user information. The 
method also includes requesting authorization of the user by 
presenting the user identifier to a corresponding identification 
server peer group. Each server in the identification server peer 
group is configured to search for one or more matching entries including 
the randomized I]D... Turning now to FIG. 36, a flow diagram that 
illustrates a method for using federated identification servers and 
federated user authentication servers using a randomized user 
identifier to gain access to a service while maintaining privacy in 
accordance with one embodiment of the present invention is presented. At 
3600, a randomized user identifier is obtained. At 3605, a 
determination is made regarding whether it is time to use. . 

.randomized ID is presented to a service portal. At 3615, a service 
portal sends a user authentication request to the identity server 
federation that contains the randomized identifier. At 3620, all servers 
in the identity server peer group search for a match with the 
randomized identifier . At 3625, a determination is made regarding 
whether a match was found. If there is... a match, at 3635 matching 
entries from the identity server federation are presented to a user 
authentication server federation to determine a single valid user data 
entry. Depending upon the amount of user authentication required and 
the capabilities of each user authentication server, multiple user 
authentication servers may cooperate in providing the required user 
authentication . 

46 

[01321 According to one embodiment of the present invention, the 
federated identity peer group... host 3800. 

[01381 Before user 3825 uses service portal 3805 to obtain services on 
the Web , the user 3825 must be authenticated . This is accomplished 
by using the user identity credential and authenticated data in it. 
This may result in a service credential. User 3 825 issues a service 
request, includin a server group ID and the user identity 
credential . The 
9 

service portal 3805 passes the identity credential to the federated 
identity server group indicated by the server group ID to 
authenticate the user . The federated identity servers 3 8 15 may 
delegate some or all user authentication tasks to federated user 
authentication servers 3820. 

48 

[01391 According to one embodiment of the present invention, user 
authentication includes . . . 
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English Abstract 

A method for enhanced privacy protection in identification in a data 
communications network includes enrolling for a service on the data 
communications network, receiving a randomized identifier (ID) in 
response to the enrolling, storing the randomized ID and using the 
randomized ID to obtain services on the data communications network. An 
apparatus for obtaining a service on a data communications network 
includes an enrollment authority configured to accept an enrollment 
request. The enrollment authority is further configured to return 
enrollment results in response to the enrollment request. The enrollment 
results include user data and the enrollment results may be used 
obtaining a service from a service provider. 

French Abstract 

L' invention concerne un precede permettant de renforcer la protection de 
la conf identialite lors de 1 ' identification dans un reseau de 
transmission de donnees , Ce precede consiste a s'inscrire a un service 
sur le reseau de transmission de donnees; a recevoir un identifiant 
aleatoire (ID) en reponse a 1 ' inscription; a stocker 1 ' identifiant 
aleatoire, puis a I'utiliser pour obtenir des services sur le reseau de 
transmission de donnees. L* invention concerne egalement un dispositif 
permettant d' obtenir un service sur un reseau de transmission de donnees; 
lequel dispositif comprend une autorite d' inscription configuree pour 
accepter une demande d' inscription et pour renvoyer les resultats de 
1 ' inscription en reponse a la demande d' inscription. Les resultats 
d* inscription contiennent les donnees utilisateur; ces resultats 
d* inscription peuvent etre utilises pour obtenir un service chez un 
prestataire de services. 
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identification server ID and an identification randomized ID. The 
identification server ID identifies an identification server peer 
group . The identification server peer group includes at least one 
server that maintains a mapping between an identification randomized 
ID and a user authentication peer group capable of authenticating 
a user associated with a particular randomized ID , and a mapping 
between the identification randomized ID and user information. The 
method also includes requesting authorization of the user by 
presenting the user identifier to a corresponding identification 
server peer group. Each server . in the identification server peer 
group is configured to search for one or more matching entries including 
the randomized ID. 

[00211 .. .Turning now to FIG. 36, a flow diagram that illustrates a method 
for using federated identification servers and federated user 
authentication servers using a randomized 
69 

user identifier to gain access to a service while ...in accordance 
with one embodiment of the present invention is presented. At 3600, a 
randomized user identifier is obtained. At 3605, a determination is 
made regarding whether it is time to use... 

...randomized ID is presented to a service portal. At 3615, a service 
portal sends a user authentication request to the identity server 
federation that contains the randomized identifier. At 3620, all servers 
in the identity server peer group search for a match with the 
randomized identifier . At 3625, a detennination is made regarding . . .a 
match, at 3635 matching entries from the identity server federation are 
presented to a user authentication server federation to determine a 
single valid user data entry. Depending upon the amount of user 
authentication required and the capabilities of each user 
authentication server, multiple user authentication servers may 
cooperate in providing the required user authentication . 

[0132] According to one embodiment of the present invention, the 
federated identity peer group is... 
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English Abstract 

A method for controlling user access to distributed resources on a data 
communications network includes receiving a resource request. The request 
includes a rights key credential that includes at least one key to 
provide access to a resource on the data communications network. The 
rights key credential also includes a resource identifier that includes a 
resource server peer group ID and a randomized ID. The resource server 
peer group ID identifies a resource server peer group. The resource 
server peer group includes at least one server that maintains a mapping 
between a randomized ID and the at least one key. The method also 
includes providing access to the resource using the at least one key. 

French Abstract 

L' invention concerne un procede permettant de controler I'acces 
utilisateur a des ressources reparties sur un reseau de transmission de 
donnees, lequel procede consiste a recevoir une demande de ressources. 
Cette demande comprend une justification d*identite a cles pour des 
droits, laquelle contient au moins une cle permettant d'acceder a une 
ressource sur le reseau de transmission de donnees. La justification 
d'identite contient egalement un identifiant ressources comprenant une 
identification de groupe d'homologues serveurs de ressources et une 
identification aleatoire. L' identification de groupe d'homologues 
identifie un groupe d'homologues serveurs de ressources, lequel groupe 
comprend au moins un serveur conservant une application entre une 
identification aleatoire et ladite cle. Le procede decrit dans cette 
invention consiste egalement a fournir un acces a des ressources a I'aide 
de la cle susmentionnee . 
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... identification server fD and an identification randomized IID. The 
identification server ID identifies an identification server peer 
group . The identification server peer group includes at least one 
server that maintains a mapping between an identification randomized 
ID and a user authentication peer group capable of authenticating 
a user associated with a particular randomized ID , and a mapping 
between the identification randomized ] ID and user information. The 
method also includes requesting authorization of the user by 
presenting the user identifier to a corresponding identification 
server peer 
Ln 

, group. Each server in the identification server peer group is 
configured to search for one or more matching entries including the 
randomized BD. 

t...Turnincy now to FIG. 36, a flow diaerram that illustrates a method 
for using federated identification servers and federated user 
authentication servers using a randomized user identifier to gain 
access to a service while maintaining privacy in accordance with one 
embodiment of the present invention is presented. At 3600, a randomized 
user identifier is obtained.. At 3605, a determination is made 
regardinCF whether it is time to use ... randomized ID is presented to a 
service portal. At 3615, a service portal sends a user authentication 
request to the identity server federation that contains the randomized 
identifier, At 3620, all servers in the identity server peer group 
search for a match with the randomized identifier . At 3625, a 
determination is made regardiner whether a match 
ce tD 

was found. If . . . 

...is a match, at 3635matchincy entries from the identity server federation 
are presented to a user authentication server federation to 
determine a sincyle valid user data entry. Depending upon the amount of 
user authentication required and the capabilities of each user 
authentication server, multiple user authentication servers may 
cooperate in providing the required user authentication . 

[01321 According to one embodiment of the present invention, the 
federated identity peer group is... 
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English Abstract 

A method for managing identification in a data communications network 
includes receiving a user-controlled secure storage device and enrolling 
the user with an authority network site. The enrolling includes providing 
information requested by the authority network site. The method also 
includes receiving user data in response to the enrolling, storing the 
user data in the user-controlled secure storage device, enabling the 
user-controlled secure storage device to release the user data and using 
the user data at a service provider network site to obtain a service. 

French Abstract 

Cette invention concerne un precede de gestion de 1 * identification dans 
un reseau de communication de donnees, qui consiste a recevoir un 
dispositif de stockage securise controle par 1 * utilisateur et a inscrire 
I'utilisateur aupres d*un site reseau d' autorisation. L' inscription 
equivaut a fournir des informations demandees par le site reseau 
d' autorisation. Le precede consiste egalement a recevoir des donnees 
utilisateur en reponse a 1 ' inscription, a stocker ces donnees utilisateur 
dans un dispositif de stockage securise controle par 1 ' utilisateur, a 
autoriser ce dispositif a divulguer les donnees utilisateur et a utiliser 
ces donnees dans un site reseau de fourniture de services en vue de 
I'obtention d'un service. 
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... identification server ID and an identification randomized ID, The 
identification server ED identifies an identification server peer 
group . The identification server peer group includes at least one 
server that maintains a mapping between an identification randomized 

ID and a user authentication peer group capable of authenticating 
a user associated with a particular randomized ID , and a mapping 
between the identification randomized ID and user information. The 



method also includes requesting authorization of the user by 
presenting the user identifier to a corresponding identification 
server peer orroup. Each server in the identification server peer 
group is configured to search for one or more matching entries including 
the randomized ID. 

[00211. . . 
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A method for browsing a data communications network includes requesting 
user data from a user-controlled secure device if a network site that 
requires the user data is accessed. The request is performed prior to 
requesting the user data from another device. The method also includes 
sending the user data to a network server associated with the network 
site if the user data is received from the user-controlled secure device. 
According to. another aspect, a method for servicing data communications 
network information units includes receiving user data associated with a 
network site, using the user data if the user data includes static user 
data and reconstructing the user data before using the user data if the 
user data includes dynamic user data. 



French Abstract 

L' invention concerne un precede d ' exploration d'un reseau de 
communication de donnees, consistant a demander des donnees d' utilisateur 
a un dispositif securise commande par 1 * utilisateur si un site du reseau 
exigeant las donnees de 1 'utilisateur est contacte. La demande est 
executee avant de demander les donnees d' utilisateur a un autre 
dispositif. Le precede consiste egalement a envoyer les donnees 
d* utilisateur a un serveur de reseau associe au site du reseau si les 
donnees d* utilisateur sont recues du dispositif securise commande par 
1 ' utilisateur . Dans un autre aspect, 1* invention concerne un precede 
visant a desservir des unites d* information du reseau de communication de 
donnees, consistant a recevoir des donnees d* utilisateur associees a un 
site du reseau, a utiliser les donnees d' utilisateur si les donnees 
d'utilisateur comprennent des donnees d' utilisateur statiques, et a 
reconstruire les donnees d'utilisateur avant d'utiliser les donnees 
d* utilisateur si les donnees d'utilisateur comprennent des donnees 
d'utilisateur dynamiques. 
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... server ED and an identification randomized ID. The identification 
server 
8 

ID identifies an identification server peer group . The identification 

server peer group includes at least one server that maintains a 
mapping between an identification randomized ID and a user 
authentication peer group capable of authenticating a user 
associated with a particular randomized ID , and a mapping between the 

identification randomized ID and user information. The method also 
includes requesting authorization of the user by presenting the user 

identifier to a corresponding identification server peer group. 
Each server in the identification server peer group is configured 
to search for one or more matching entries including the randomized ID. 
[00211 ... ling now to FIG. 36, a flow diagram that illustrates a method 
for using federated identification servers and federated user 
authentication servers using a randomized user identifier to gain 
access to a service while maintaining privacy in accordance with one 
embodiment of the present invention is presented. At 3600, a 
64 

randomized user identifier is obtained. At 3605, a determination is 
made regarding whether it is time to use... 

...randomized ID is presented to a service portal. At 3615, a service 
portal sends a user authentication request to the identity server 
federation that contains the randomized identifier. At 3620, all servers 
in the identity server peer group search for a match with the 
randomized identifier . At 3 625, a detennination is made regarding 
whether a match' was found. If there... 

...a match, at 3635 matching entries from the identity server federation 
are presented to a user authentication server federation to determine 
a single valid user data entry. Depending upon the amount of user 
authentication required and the capabilities of each user 
authentication server, multiple user authentication servers may 



cooperate in providing the required user authentication . 

[01321 According to one embodiment of 
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English Abstract 

A method and system for providing secure access to accounts on a server 
connected to a computer network. According to the invention, session 
state information corresponding to a particular account user is encrypted 
and transmitted to the account user who transmits the encrypted session 
state information back with each request. When the account user submits a 
request to the server, the server decrypts the encrypted session state 
information and validates the session state information. If the session 
state information is valid, the server processes the user's request. 
Thus, the user becomes the source of the session state information, 
albeit in encrypted form, rather than a central database. 

French Abstract 

L' invention concerne un precede et un systeme permettant de fournir un 
acces securise aux comptes d'un serveur connecte a un reseau 
informatique. Selon 1* invention, les informations d'etat de session 
correspondant a un utilisateur de compte donne sont cryptees et 
transmises a cet utilisateur qui retransmet ces informations avec chaque 
demande. Lorsque 1 * utilisateur de compte soumet une demande au serveur, 
ce dernier decrypte les informations cryptees et les valide. Si lesdites 
informations sont valables, le serveur traite la demande de 
1' utilisateur. C'est ainsi 1 'utilisateur, plutot qu'une base de donnees 



centrale, qui devient la source des informations d'etat de session, meme 
cryptees . 
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Detailed Description 

Detailed Description 

illustrates a preferred method of the present invention. The first 
preferred embodiment contemplates that users access the service 
provider web site 80 on client computers 70 over the Internet 60. As is 
conventional, a user. . . 

...include a 1 0 domain name or may comprises an IP address, consisting of 
numbers identifying the host server . in preferred form, when the 
user accesses service provider site 80, the account user is prompted for 
an account name or user identification and corresponding password 
(step 12) . Server 50 passes the received account name and password to the 
master user database 40, which authenticates the user by comparing 
these inputs to the account 1 5 names and passwords stored in the. . . 
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Abstract (Basic) : US 20030084170 Al 

NOVELTY - A user identifier including an identification 
server ID and an identification randomized ID is obtained. The user 

identifier is provided to an identification server peer group 
identified using the server ID for authorizing user (700) by 
comparing randomized ID's respectively included in the user 
identifier and maintained in the server peer group that also 
stores associated user information. 

DETAILED DESCRIPTION - INDEPENDENT CLAIMS are also included for the 
following: 

(1) program storage device storing user identification program; 

and 

(2) user identification apparatus. 

USE - For user identification in data communication network 
e.g. LAN, WAN, internet, cable television network, telephone network, 
wireless telecommunication network, fiber optic network, ATM network, 
satellite communication network for service provision. 

ADVANTAGE - Performs efficient user authentication using 
received and stored data on open network without revealing unnecessary 
information while maintaining privacy. 

DESCRIPTION OF DRAWING (S) - The figure shows the flow diagram 
illustrating the conduction of secure transactions using user 



identification . 

user (700) 

pp; 7 6 DwgNo 7/51 

Title Terms: USER; IDENTIFY; METHOD; DATA; COMMUNICATE; NETWORK; COMPARE; 

RANDOM; ID; RESPECTIVE; RECEIVE; USER; IDENTIFY; MAINTAIN; IDENTIFY; 

SERVE; PEER; GROUP; STORAGE; USER; INFORMATION 
Derwent Class: TOl; WOl 

International Patent Class (Main) : G06F-001/00 ; G06F-015/16 
International Patent Class (Additional) : H04L-029/06 
File Segment: EPI 

Manual Codes (EPI/S-X) : T01-N02B1B ; T01-S03; W01-A05B 



41/9/11 (Item 11 from file: 350) 

DIALOG (R) File 350: Derwent WPIX 

(c) 2003 Thomson Derwent. All rts. reserv. 

014779503 **Image available** 

WPI Acc No: 2002-600209/200264 

XRPX Acc No: N02-475797 

Flexible service distribution for large scale communication network has 
secondary database for recovering user and server identifiers from 
primary database 

Patent Assignee: PLATA-ANDRES I (PLAT-I); SANCHEZ-HERRERO J (SANC-I); 

TELEFONAKTIEBOLAGET ERICSSON L M (TELF ) 
Inventor: PLATA-ANDRES I; SANCHEZ-HERRERO J; ANDRES I P; SANCHEZ HERRERO J 

A 

Number of Countries: 100 Number of Patents: 002 

Patent Family; 

Patent No Kind Date Applicat No Kind Date Week 

WO 200271674 A2 20020912 WO 2002EP2440 A 20020306 200264 B 
US 20020147845 Al 20021010 US 2001273759 A 20010306 200269 

US 200291658 A 20020304 

Priority Applications (No Type Date): US 200291658 A 20020304; US 

2001273759 P 20010306 
Patent Details: 

Patent No Kind Lan Pg Main IPC Filing Notes 
WO 200271674 A2 E 42 H04L-000/00 



Designated States 


(National) : 


AE 


AG 


AL 


AM 


AT 


AU 


AZ 


BA 


BB 


BG 


BR 


BY 


BZ 


CA 


CH CN CO CR CU CZ 


DE DK DM DZ 


EC 


EE 


ES 


FI 


GB 


GD 


GE 


GH 


GM 


HR 


HU 


ID 


IL 


IN 


IS JP KE KG KP KR 


KZ LC LK LR 


LS 


LT 


LU 


LV 


MA 


MD 


MG 


MK 


MN 


MW 


MX 


MZ 


NO 


NZ 


OM PH PL PT RO RU 


SD SE SG SI 


SK 


SL 


TJ 


TM 


TN 


TR 


TT 


TZ 


UA 


UG 


UZ 


VN 


YU 


ZA 


ZM ZW 
































Designated States 


(Regional) : 


AT 


BE 


CH 


CY 


DE 


DK 


EA 


ES 


FI 


FR 


GB 


GH 


GM 


GR 


IE IT KE LS LU MC 


MW MZ NL OA 


PT 


SD 


SE 


SL 


SZ 


TR 


TZ 


UG 


ZM 


ZW 











US 20020147845 Al G06F-015/16 Provisional application US 2001273759 

Abstract (Basic) : WO 200271674 A2 

NOVELTY - The User Distribution Server (UDS) has a secondary 
database for recovering user and server identifiers from the 
primary database and any other UDS in the network domain. The UDS is 
located accessible to query and request user information by redirecting 
the query to the appropriate server or serving entity. 

DETAILED DESCRIPTION - Preferably, the User Distribution Server 
(UDS) has the ability to handle request from other UDS or Service 
Request Node by indicating that query on the new identifier in 
another server is necessary, and optionally indicating the reason 
behind. INDEPENDENT claims are also included for the following: 

(1) A telecommunication system comprising the User Distribution 



Server. 

(2) A method in a network domain for identifying a user under 
different service environments. 

USE - For large communication networks that use multiple 
servers to provide services to subscribers that is identified or 

accessed by a number of different user identifiers . 

ADVANTAGE - The use of primary and secondary database simplifies 
data handling as data changes and updates can be easily managed in the 
primary databases and then transferred to or actualized in the 
secondary database, 

DESCRIPTION OF DRAWING (S) - The drawing shows a network 
architecture containing the primary and secondary database structure. 
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Abstract (Basic) : US 6247055 Bl 

NOVELTY - The client (131) receives an unique identifier assigned 
to particular server, during initial connection. The client sends a 
message to any active server in the computer network ; to receive 
different network address associated with received identifier . The 
client sends another message to the different network address, to 
re-establish connection with the particular server. 

DETAILED DESCRIPTION - INDEPENDENT CLAIMS are also included for the 
following : 

(a) Method for re-establishing connection to failed database 
manufacturing system (DBMS) server; 

(b) Method for establishing connection between client server; 

(c) System for re-establishing connection to failed DBMS server; 



(d) System for establishing connection between client and server; 

(e) Computer program product 

USE - For enabling a client system networked in sysplex environment 
through TCP/IP network to locate specific server . Also for use 
with multiprocessor network , file server , print server , file 
transfer programs (FTP), etc. 

ADVANTAGE - Preserves ability of client to access the sysplex 
seamlessly. Enhances work load balancing and data availability. Allows 
two-phase commit protocol to work properly even when DBMS server 's 
network attributes are impacted. 

DESCRIPTION OF DRAWING (S) - The figure shows the explanatory 
drawing of sysplex environment. 

Client (131) 
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Abstract (Basic) : WO 200163878 Al 

NOVELTY - A page request is sent to the site to be authenticated 
from the user . A web page containing a site identification is 
generated and forwarded to the user . The site identification is 
forwarded to a verification server. The user is indicated whether 
or not the site is authentic by comparing the site identification 
with prestored identification. 

DETAILED DESCRIPTION - INDEPENDENT CLAIMS are also included for the 
following: 

(a) Computer program product; 

(b) Web site authenticity verification system; 

(c) Web site authenticity verification program 

USE - For verifying authenticity of web site in electronic 
commerce . 

ADVANTAGE - The web site authenticity is efficiently verified at 
every time the web site is accessed . Hence efficient goods sale 
through internet is facilitated. 

DESCRIPTION OF DRAWING (S) - The figure shows a schematic view of 
the web site authenticity verification system. 
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Abstract (Basic) : WO 9956194 A2 



NOVELTY - The IP address and uniform resource locator of the second 
server is stored in the server . The data identifying the resources 
like file, documents and web pages is received from the client. The 
data used in identification of second server is transmitted to the 
client so that user of client is authenticated by second server. 

DETAILED DESCRIPTION - The specific data is transmitted to the 
client to enable user to provide user ID and password of the user. 
The state data is generated and transmitted to the client based on 
received user ID and password. 

USE - For authentication of client user by servers connected 
in distributed computing network like internet. For authentication of 
user of client like PC, workstation, cellular telephone, pager. 

ADVANTAGE - Facilitates client user to provide authentication 
data to only one server that is authenticated by multiple servers . 
Eliminates repetitive, tedious user authentication process. 

DESCRIPTION OF DRAWING (S) - The figure shows flow chart for 
illustrating client user authenticating process. 
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Abstract (Basic) : JP 10154118 A 

The system includes a directory server which is connected to 
network which has* several fire walls that limit connection of server. 
The directory server stores ID of each computer using network , 
accessible user ID and information regarding communication path. 
When user of accessed client is a legitimate user of the server, 
information in communication path is searched from ID information of 
designated server, 

A relay server transmits information in communication path to a 
communication group between client and server . The directory server 
and the fire wall communicate mutually using predetermined setting 
information. The setting information is updated based on predetermined 



set condition. 

ADVANTAGE - Improves security. Reduces information updation work. 
Dwg. 1/8 
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7314593 INSPEC Abstract Number: B2002-08-6150M-140, C2002-08-5640-091 
Title: Characterizing large DNS traces using graphs 

Author(s): Cranor, CD.; Gansner, E.; Krishnamurthy, B.; Spatscheck, 0. 
Author Affiliation: AT&T Labs-Res., Florham Park, NJ, USA 
Conference Title: Proceedings of the First ACM SIGCOMM Internet 
Measurement Workshop. UMW 2001 p. 55-67 
Publisher: ACM, New York, NY, USA 

Publication Date: 2001 Country of Publication: USA viii+311 pp. 
Material Identity Number: XX-2002-00525 

U.S. Copyright Clearance Center Code: ACMl-58113-435-5/01/0011$5 . 00 
Conference Title: Proceedings of ACM SIGCOMM Internet Measurement 
Workshop 2001 

Conference Date: 1-2 Nov. 2001 Conference Location: San Francisco, CA, 
USA 

Language: English Document Type: Conference Paper (PA) 
Treatment: Practical (P) 

Abstract: The increasing deployment of overlay networks that rely on DNS 
tricks has led to added interest in examining DNS traffic. In this paper we 
report on a characterization of DNS traffic gathered over a period of 
several weeks at Internet gateway routers (ICRs) in the AT&T Common 
Backbone. The characterization is carried out using several novel 
techniques to identify clients , local DNS servers, and authoritative 
DNS servers. Our techniques include passive and active measurements, 
graph-based analysis, examination of outliers, and explicit checks against 
data obtained from several external sources. Our contribution is the 
reduction of a very large data set (over 1 Terabyte of raw data) into a 
significantly smaller representation that is ideally suited for answering 
protocol-specific semantic queries quickly. After categorizing the 
addresses, we use the network aware clustering technique to group 
local DNS servers . By juxtaposing the DNS server clusters with 
clusters formed by Web clients obtained from a large portal Web site, we 
determine the distribution of identified DNS servers in busy clusters 
. A variety of applications are examined ranging from identifying suspected 
zombies to helping content distribution networks in mapping location of DNS 
servers. (8 Refs) 
Subfile: B C 
Copyright 2002, lEE 
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5670336 INSPEC Abstract Number: C9710-5620-005 
Title: User authentication in mobile computing environment 

Author (s) : Takubo, A.; Ishikawa, M.; Watanabe, T.; Soga, M. ; Mizuno, T. 

Author Affiliation: Mitsubishi Electr. Corp., Kamakura, Japan 

Journal: lEICE Transactions on Fundamentals of Electronics, 
Communications and Computer Sciences vol.E80-A, no. 7 p. 1288-98 

Publisher: Inst. Electron. Inf. & Commun. Eng, 

Publication Date: July 1997 Country of Publication: Japan 

CODEN: IFESEX ISSN: 0916-8508 

SICI: 0916-8508 (199707)E80A:7L.1288:UAMC;1-G 

Material Identity Number: P710-97008 

Language: English Document Type: Journal Paper (JP) 
Treatment: Theoretical (T) 

Abstract: The computers are connected with each other by the network as a 
result of the progress of technology in the field of the computer and 
network, and then all of the data to be processed are transferred quickly 



and at the real-time through the computer network. However the user can use 
the computer system at any time, the user must go to the location of the 
computer system to use the computer resources. The necessities for using 
the computer system occur anywhere and anytime in spite of the location of 
the computer system. For this requirement the mobile computing environment 
(MCE) is expected strongly. In this paper we introduce the model of MCE and 
discuss the need of the user authentication at entering and logging - 

in the network in MCE only with a user ID . We propose the method of 
a user ID assignment from which a server ID can be decided by a 
simple logical operation. Also, we propose a protocol for a user 

authentication in MCE and discuss the robustness of security against the 
various attacking on the route. (20 Refs) 
Subfile: C 
Copyright 1997, I EE 
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5587702 INSPEC Abstract Number: B9707-6210L-011, C9707-5640-003 
Title: Authentication system of mobile computing environment 

Author(s): Takubo, A.; Ishikawa, M. ; Watanabe, T.; Soga, H.; Mizuno, T. 
Author Affiliation: Comput . Works, Mitsubishi Electr. Corp., Japan 
Journal: Reports of the Graduate School of Electronic Science and 
Technology, Shizuoka University no. 18 p. 157-65 
Publisher: Shizuoka Univ, 

Publication Date: March 1997 Country of Publication: Japan 

CODEN: SDDHEN ISSN: 0388-5070 

SICI: 0388-5070(199703) 18L . 157 : ASMC; l-# 

Material Identity Number: H725-97001 

Language: Japanese Document Type: Journal Paper (JP) 
Treatment: Applications (A); Theoretical (T) 

Abstract: The computers are connected with each other by a network as a 
result of the progress of technology in the field of computers and 
networks, and then all of the data to be processed are transferred quickly 
and at real-time through the computer network. However, the user can use 
the computer system at any time but must go to the location of the computer 
system to use the computer resources. The necessities for using the 
computer system can occur anywhere and at anytime in spite of the location 
of the computer system. For this requirement there are high expectations of 
the mobile computing environment (MCE) . In this paper we introduce the 
model of a MCE and discuss the need for user authentication at entering 
and logging into the network in the MCE only with a user ID . We propose 
a method of a user ID assignment from which a server ID can be 
decided by a simple logical operation. Also, we propose a protocol for 
user authentication in MCE and discuss the robustness of security 

against the various attacks on the route. (14 Refs) 
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4866601 INSPEC Abstract Number: A9504-2980-020, B9503-7410-044 , 

C9503-3380D-061 

Title: Access control and security for a distributed control system 

Author (s): Meyer, J.; Gotz, A.; Klotz, W.D. 
Author Affiliation: ESRF, Grenoble, France 

Journal: Nuclear Instruments & Methods in Physics Research, Section A 
(Accelerators, Spectrometers, Detectors and Associated Equipment) 
vol.352, no. 1-2 p. 289-92 

Publication Date: 15 Dec. 1994 Country of Publication: Netherlands 

CODEN: NIMAER ISSN: 0168-9002 

U.S. Copyright Clearance Center Code: 0168-9002/94 /$07 . 00 

Conference Title: Third International Conference on Accelerator and Large 



Experimental Physics Control Systems 

Conference Date: 18-23 Oct. 1993 Conference Location: Berlin, Germany 
Language: English Dociament Type: Conference Paper (PA); Journal Paper 

(JP) 

Treatment : Practical ( P) 

Abstract: The control system of the European Synchrotron Radiation 
Facility (ESRF) is object-oriented and distributed. Device access is based 
on the client-server model. To protect sensitive hardware devices an access 
control and security system has been added. This offers users read, write, 
super-user or single-user access to hardware objects, families or even 
whole areas of the facility. A memory-based security database, accessed by 
an internal control system service, combines device names, access rights, 
user IDs, group IDs and host / network addresses. Access rights 
must be requested at connection time and are guaranteed by a fast access 
key mechanism. The paper describes the design and discusses the needs for 
the implemented access rights and protection possibilities. (3 Refs) 
Subfile: ABC 

Copyright 1995, FIZ Karlsruhe 
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04303833 INSPEC Abstract Number: C9301-6130S-048 
Title: A service based security architecture for distributed systems 
Author (s): Kading, M. 

Author Affiliation: Tech. Univ. Berlin, Germany 

Conference Title: Architektur von Rechensystemen. 12. GI-ITG-Fachtagung 
(Architecture of Computing Systems. 12th GI-ITG-Meeting) p. 282-93 
Editor (s): Jammel, A. 

Publisher: Springer-Verlag, Berlin, Germany 

Publication Date: 1992 Country of Publication: West Germany ix+369 
PP • 

ISBN: 3 540 55340 1 

Conference Date: 23-25 March 1992 Conference Location: Kiel, Germany 
Language: German Document Type: Conference Paper (PA) 
Treatment: Practical (P) 

Abstract: Important security requirements in distributed computer systems 
include safeguard of communication, user identification , and access 
control. The article introduces a system security software architecture, 
realisable with the aid of available services, which meets these 
requirements. Features of the development environment based on several 
workstation computers, service computers, networks, and software, are 
summarised. Central server authentication , user identification , 
object access, function control, and object flow control service tasks 
aiding realisation of the security architecture are described. Access 
control is rule based and is defined by a security policy. Advantages of 
the distributed system security architecture include system-independence, 
modularity, and easy expandability. (12 Refs) 
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06004285 E.I. No: EIP02066855081 

Title: Three-party Encrypted Key Exchange without server public-keys 

Author: Lin, Chun-Li; Sun, Hung-Min; Steiner, Michael; Hwang, Tzonelih 

Corporate Source: Dept. of Comp, Sci. and Info. Eng. National Cheng Kung 
University, Tainan 701, Taiwan 

Source: IEEE Communications Letters v 5 n 12 December 2001. p 4 97-499 

Publication Year: 2001 

CODEN: ICLEF6 ISSN: 1089-7798 

Language: English 

Document Type: JA; (Journal Article) Treatment: T; (Theoretical) 
Journal Announcement: 0202W2 



Abstract: Three-party key-exchange protocols with password 
authentication - clients share an easy-to-remember password with a 
trusted server only-are very suitable for applications requiring secure 
communications between many light-weight clients (end users) ; it is simply 
impractical that every two clients share a common secret. In 1995, 
Steiner, Tsudik and Waidner proposed a realization of such a three-party 
protocol based on the Encrypted Key Exchange (EKE) protocols. However, 
their protocol was later demonstrated to be vulnerable to off-line and 
undetectable on-line guessing attacks. In 2000, Lin, Sun, and Hwang 
proposed a secure three-party protocol with server public-keys. However, 
the approach of using server public-keys is not always a satisfactory 
solution and is impractical for some environments. In this letter, we 
propose a secure three-party EKE protocol without server public-keys. 9 
Refs. 
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01754971 ORDER NO: AADAA-I 9978381 

Techniques for supporting service scalability over the Internet 

Author: Fei, Zongming 
Degree: Ph.D. 
Year: 2000 

Corporate Source/Institution: Georgia Institute of Technology (0078) 
Director: Mostafa H. Ammar 

Source: VOLUME 61/07-B OF DISSERTATION ABSTRACTS INTERNATIONAL. 

PAGE 3683. 145 PAGES 
ISBN: 0-599-84255-5 

With the explosive growth of the Internet, the number of clients a 
service needs to handle can potentially be quite large. We identify two 
approaches to improve the ability of a service to deal with a large number 
of clients. One is <italic>replication</italic>, in which a server is 
replicated and distributed across the Internet. Another is 
<italic>multicast communication</italic>, in which a server delivers 
information to multiple clients, simultaneously. 

To deploy these techniques effectively, we have to deal with several 
important issues. When replication is used, the primary concern is how a 
client may discover which of the servers is best to use. This is the 
<italic>server selection</italic> problem. When multicast is used, it 
satisfies requests of several users at one time and thus, to some extent, 
sacrifices the special requirements of each individual user. There is a 
problem of <italic>accommodating individuality</italic> in multicast 
communication. We address these two issues in this work. 

In the case of server selection, we study the issue in both unicast 
and multicast environments. For the unicast server selection, we target an 
environment in which servers are distributed across the Internet, and 
clients identify servers using the application-layer anycasting 
service. We specifically consider replicated web servers, with a goal to 
minimize clients' response time. The problem of multicast server selection 
differs from the unicast case in that the load on servers does not directly 
depend on the number of clients. We define and give solutions to several 
multicast server selection problems, aiming at minimizing the total cost 
of the system. We also study the selection problem of a special kind of 
multicast servers (called adaptive servers), and propose several methods to 
improve the performance perceived by the clients. 

In the case of accommodating individuality in the multicast 
communication, we specifically investigate how to provide interactive 
functions in partitioned multicast video-on-demand systems. We propose an 
active buffer management scheme that can achieve a high probability of 
satisfying individual user requirements for interactivity. 



22/7/17 (Item 1 from file: 95) 

DIALOG (R) File 95 : TEME-Technology & Management 
(c) 2003 FIZ TECHNIK. All rts. reserv. 



01365139 19991104792 

Doppelt gemoppelt. Token-basierende Authentisierung 

anonym 

Network Computing, v55, n23, pp48-52, 1999 
Document type: journal article Language: German 
Record type: Abstract 
ISSN: 1435-2524 

ABSTRACT: 

Token und die entsprechenden Authentisierungssysteme sind in der Lage, 
Gruppen von mobilen Anwendern in jeder Remote-Access-Situation sicher und 
effizient zu identif izieren . Token-Anwendungen verbessern auch das 
Sicherheitsniveau, indem sie Administrationshierarchien im Netzwerk 
aufbauen und das klassische Passwort durch Token verstaerken. In einem Test 
werden das Management, die Sicherheit, Standardtreue und 
Bedienerfreundlichkeit von folgenden 4 Token-basierenden 
Authentisierungssystemen bewertet : CryptoAdmin 4.0 von CryptoCard, 
Ace/Server 3.3.1 von Security Dynamics, VACman 3.5 von Vasco Data Security 
und SmartGate 2.6a von V-One. Der Test konzentrierte sich auf die 
Integration in ein bestehendes Netzwerk und analysierte die 
Schluesselfunktionen Client-Server-Konf iguration und das 
User-Token-Management. Als Testsieger wurde das Produkt Ace/Server von 
Security Dynamics ermittelt. 
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2084890 H.W. WILSON RECORD NUMBER: BAST00018583 
Webrelay: a multithreaded HTTP relay server 
Zhang, Peter; 

Dr. Dobb's Journal v, 25 no2 (Feb. 2000) p. 86-96 
DOCUMENT TYPE: Feature Article ISSN: 1044-789X 

ABSTRACT: The writer discusses webrelay, a freely available multi-threaded 
HTTP relay server. Webrelay was designed to address the problem faced by 
legitimate users of a university library. When these users connected 
directly to the Internet from an off -campus IP address, the vendor web 
server typically rejected the access request. Webrelay authenticates 
clients to ensure they are legitimate users before connecting them to the 
vendor web server. The vendor's server subsequently identifies 
requests as coming from the relay server itself, which always has a valid 
IP address or campus -wide user identification . 



22/7/20 (Item 2 from file: 144) 

DIALOG (R) File 144: Pascal 

(c) 2003 INIST/CNRS. All rts. reserv. 

14555848 PASCAL No. : 00-0221933 

Achieving non- repudiation of Web based transactions 

KALLA M; WONG J S K; MIKLER A R; ELBERT S 
Iowa State Univ, Ames lA, United States 

Journal: Journal of Systems and Software, 1999, 48 (3) 165-175 
ISSN: 0164-1212 CODEN: JSSODM Availability: INIST-18071 
No. of Refs . : 25 Refs. 

Document Type: P (Serial) ; A (Analytic) 
Country of Publication: United States 
Language: English 

In this paper, we describe our approach to achieve non-repudiation for 
World Wide Web (WWW) based transactions. We designed and implemented 
protocols for preparing digital signatures on the server as well as the 
client machine. In our design, we use the popular Pretty Good Privacy (PGP) 
software for preparing and verifying digital signatures. The 
key-contribution is the deployment of a special purpose HTTP server, called 
signing server, on the client machine to communicate with the WWW browser. 



A signing server is specialized to handle digital signatures. This paper 
discusses the design and implementation of the signing server protocol to 
achieve non-repudiation transactions in a WWW based employee information 
system. The technique of deploying special purpose HTTP servers on the 
client machine has many applications beyond this. It inter-operates with 
all types of browsers and is an attractive alternative to browser dependent 
plug-ins . 
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00354194 94NC07-010 
DCA's Remote LAN Node 
Boardman, Bruce 

Network Computing , July 1, 1994 , v5 n8 p98-100, 102+, 4 Page{s) 
ISSN: 1046-4468 

Company Name: Digital Communications Associates 
Product Name: Remote LAN Node 

Presents a mixed review of Remote LAN Node v2.0 ($na), a remote access 
product from Digital Communications Associates (DCA) of Alpharetta, GA 
(404). Says Remote LAN Node (RLN) has a strong management component and a 
good Windows client implementation, but is a mediocre performer with a high 
price. Reveals that RLN functions as a bridge, supports many protocols, and 
can assign MAC addresses to user IDs permanently across servers , but 
its proprietary multiport asynchronous communications board caused 
significant performance inconsistencies, even hang-ups in testing. 
Concludes that of the products tested, RLN had the best management strategy 
for scaling access into large networks . Includes one photo and a table 
comparing features. (CH) 
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HP Software Decides Who Should Have Access to Data 

American Banker, p 18, col 1 
Jul 23, 1998 

ISSN: 0002-7561 NEWSPAPER CODE: AB 

DOCUMENT TYPE: News; Newspaper 

LANGUAGE: English RECORD TYPE: ABSTRACT 

LENGTH: Medium (6-18 col inches) 

ABSTRACT: Hewlett-Packard Co. has introduced software designed to make it 
easier to grant secure information access to individuals outside an 
organization, such as customers, partners, suppliers, and employees. The HP 
Praesidium Authorization Server identifies users and imposes rules 
for who can have access to data. It can protect content traveling across 
corporate intranets, extranets, and the Internet. The controls let the 
World Wide Web be used "for trading and high- value business customers who 
wish to exchange funds or see if checks have cleared, " said Cyndi Nickel, 
business planning manager of Hewlett-Packard's Internet security operation. 

9 
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TEXT: 

...same level of certainty from their intranet and extranet Web pages, and 
applications. "WebCrusader lets clients verify the ID of the server 
they are connected to, " he said, adding that this has got rid of Web 
spoofing. . . 
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...TEXT: servers, who have many service instances. It maintains booked 
service instances, message encryption keys, and client host 

identifications . In addition, it manages service booking and client 

authentication . 

There are several advantages of our secure RPC framework. A client host is 
responsible for. . . 
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Web spins new coiomiini cations era 

Elgar, Eric 

Computer Reseller News n703 PP: 85, 90+ Sep 30, 1996 
ISSN: 0893-8377 JRNL CODE: CRN 
WORD COUNT: 1570 



.TEXT: to limit user access to the corporate inf ©structure . 



The perfect platform enforces security through bidirectional 
authentication in which clients and server identify themselves 
through unique encrypted certificates and field-level encryption. The added 
features of user-definable... 
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Lotus Notes thrives in NI^ form 

Goldberg, Steven 

Network World vlln21 PP: 1, 60+ May 23, 1994 
ISSN: 0887-7661 JRNL CODE: NWW 
WORD COUNT: 1865 

...TEXT: Notes databases. During installation, IDs are established for the 
Notes Administrator and for the new server . 

The certifier ID , in essence, stamps both the user ID and the server 
ID . This unique stamp, or certificate, is the validation mechanism 
that permits client -server and server-server communication. 

Notes provides two different certification schemes, canonical and 
hierarchical. In. . . 
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MDOS System More Secure. Is It More Complacent, Too? 

Trowbridge, Dave 

Computer Technology Review vl2n8 PP: 1-2, 11 Jul 1992 
ISSN: 0278-9647 JRNL CODE: CTN 
WORD COUNT: 1507 

...TEXT: levels of network security in addition to host security. Level 2, 
the highest, requires a matching password and user ID in the server 
computer's authorization file. Level 1 requires only the user ID , and 
Level 0 is no security at all. These levels are integrated with the host 
internal security settings, so that privileges granted are the intersection 
of the set of privileges authorized on the client (accessing) computer 
with those on the server (accessed) computer. 

RESOURCE CONTROL 

All of the MDOS. . . 
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RSA Encryption Technology Helps Enable Marimba Offer Secure Solution for 
Internet Software Mauiagement, Distribution 



DATE: November 5, 1997 16:58 EST WORD COUNT: 727 

... a Castanet Transmitter server and Tuner client. In addition/ a secure 
transmission server can be authenticated by subscribers , enabling a 
subscriber to identify the transmitter host name. 

Using RSA and Verisign Digital ID technology, a channel developer may 
digitally sign a... 
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National Grocers Association Endorses Concord EFS' E-Com Solution 

Business Wire 
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JOURNAL CODE: BW LANGUAGE: ENGLISH RECORD TYPE: FULLTEXT 
DOCUMENT TYPE: NEWSWIRE 
WORD COUNT: 620 

...the manufacturer. All transactions are executed 

using the latest security techniques, including firewall interfaces, 
encryption, server authentication , user ID 's, password protection, 

user 

profile controls, and restricted exchange of documents between trading 
partners . 

"Electronic. . . 



32/3, K/38 (Item 5 from file: 20) 

DIALOG (R) File 20: Dialog Global Reporter 
(c) 2003 The Dialog Corp. All rts. reserv. 

02152593 (USE FORMAT 7 OR 9 FOR FULLTEXT) 
INFOTECH BUYLINE 

INFOTECH WEEKLY, p21 
June 15, 1998 

JOURNAL CODE: WIWY LANGUAGE: English RECORD TYPE: FULLTEXT 
WORD COUNT: 501 

(USE FORMAT 7 OR 9 FOR FULLTEXT) 

Verisign, to offer 128-bit encryption to Lotus Domino Server 
customers . 

Using Verisign's Global Server IDs , approved customers may use 

the encryption for intranet, extranet and Internet communications. 

The agreement lets users verify when their Domino Server is being 

accessed and has been issued a Global Server ID . If the server sees 

this ID it boosts encryption to a stronger level. 

Until recently the United States Government did not... 
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Power In Hand. (Company Business and Marketing) 

Wallach, Susan Levi 

Sm@rt Partner, v4, n8, p42 

Feb 26, 2001 
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Document Type: Magazine/ Journal; Trade 
Word Count: 1700 

... is a client that, in the ICU implementation, resides on a Palm 

Pilot VIIx. 

The client controls authentication and security, so the server 
can identify the user who is logging in. "When you log in for the first 
time and you need. . . 
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Network management packages. (Buyers Guide) 
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Word Count: 1076 

display graphical maps of the network, discover and identify 
failing network devices, synchronize lists of authorized user IDs 
across servers , distribute software updates as well as server and client 
configurations, detect network intruders or keep... 
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... NEC CORP. on a new Internet security service. By combining 

Verisign's OnSite PKI digital ID server software with NEC's digital 
certificate verification system, the service will issue digital 
certificates, authenticate users , encrypt data transmissions and 
protect online transactions. NEC hopes the new partnership will generate 
$46. . . 

...applications. Unlike OnSite, which can take more than 10 days to set up 
digi-tal IDs for new users , Go Secure! can generate up to a million 
digital IDs in a few days. It... 

. . .more suitable to replace less-secure, password-based systems for 
granting large numbers of users access to Web applications and 



extranet/intranet resources. 

Targeting the same market segment, newcomer GRADIENT TECHNOLOGIES, 
INC. has. . . 



32/3, K/44 (Item 6 from file: 16) 

DIALOG (R) File 16: Gale Group PROMT (R) 

(c) 2003 The Gale Group. All rts. reserv. 

07340507 Supplier Number: 61953692 (USE FORMAT 7 FOR FULLTEXT) 
VPN Authentication Moves To LANs — Alcatel adds RADIUS technology, 

typically used for remote access, to its switch. (Company Business and 

Marketing) 

Yasin, Rutrell 
InternetWeek, p20 
April 24, 2000 

Language: English Record Type: Fulltext 
Document Type: Tabloid; Trade 
Word Count: 485 

... the user is prompted for a password or other ID. The switch's 

integrated Radius client then authenticates the user with information 
stored in the Radius server. 

After the server identifies the user , the switch places the PC 
into the authorized subnet or zone. The switch also gathers... 



32/3, K/47 (Item 9 from file: 16) 

DIALOG (R) File 16: Gale Group PROMT (R) 

(c) 2003 The Gale Group. All rts. reserv. 

05178512 Supplier Number: 47902887 (USE FORMAT 7 FOR FULLTEXT) 
Reining In Remote Access; RADIUS and TACACS compete to bring better control 
over dial-up access 

Dutcher, William 
PC Week, p083 
August 11, 1997 

Language: English Record Type: Fulltext 

Dociament Type: Magazine/ Journal; Tabloid; General Trade 

Word Count: 1605 

... ID and password system. The simplest way to implement remote access 

is to embed the user ID in the access server itself, because the device 
that controls the modem and the ports also validates the user . 

For example, Cisco Systems Inc. 's 2500 series of remote access 
servers maintain user IDs and passwords as part of the system 
configuration file. The passwords are usually encrypted within... 
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Word Count: 2155 



... to limit user access to the corporate inf ostructure . 

The perfect platform enforces security through bidirectional 
authentication in which clients and server identify themselves 
through unique encrypted certificates and field-level encryption. The added 
features of user-definable... 
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... issue with VRML... Our biggest file so far is 100KB," Connell said. 

CyberHub includes a user identification server to verify a 
user *s entry to a site, a motion-tracking database that follows users' 
actions, and an... 
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... US users can use PGP (Pretty Good Privacy) . The Kerberos system 

relies on passwords to authenticate users which only make sense when 
put together with code at a central Kerberos server. At the client end the 
application requests that the Kerberos server verify the user ID . The 

server issues users with keys and logs a database of users and their 
individual keys, so. . .data is a temporary key for the session and an 
encrypted ticket. In order to authenticate themself, the user returns 
the ticket to the Kerberos server along with an encrypted message coded 
with the. . . 

...user decrypts with the issued temporary key - their own key is never 
sent across the network from client to server , only the temporary one. 
It should be noted that Kerberos is included in OSF's... 



32/3, K/56 (Item 18 from file: 16) 

DIALOG (R) File 16: Gale Group PROMT (R) 

(c) 2003 The Gale Group. All rts. reserv. 



02211750 Supplier Number: 42881924 (USE FORMAT 7 FOR FULLTEXT) 



Remote LAN Manager: Microsoft's Remote Access Server 
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... Issuing RASDIAL servername will initiate the calling sequence. Once 

connected, the RAS server validates the UserlD and password, and checks 
to see if the user is authorized to access the network via async. 
If a callback mode is specified, the server will drop the carrier and. . . 

...user's station, whereas RASDIAL will answer the phone and prompt for 
validation information. The UserlD used to connect does not have to be 
the same as the login ID . All RAS servers in the same domain share a 
common user database, so maintaining multiple servers is as painless as 
it is in the regular NETADMIN utility. 
Once the connection is... 
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Digital IDs . ( server , client certificates for data authentication ) 
(Technology Information) 
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and running is straightforward. (See "How Hard Is Notes to 
Install?" on page 105.) Creating user and server IDs takes some work 
because Notes' security features rest on the system's ability to validate 
the user . Each ID includes public and private encryption keys, for 
instance, which can generate an electronic signature that... 
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V-One raises SmartGate. (the Virtual Open Network Environment Corp's 
SmartGate secure gateway for network servers) (Product Announcement) 
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...ABSTRACT: the SmartGate client /server application that can be used as a 
secure gateway on most network servers . The program ensures mutual 
authentication by client and server to provide a higher level of network 
security than firewalls or other secure... 

...SmartGate server application, after which SmartGate generates a public 
encryption key that serves as the client ID ; client and server 
authenticate each other in subsequent sessions, and a random key is 
generated rather than a new... 
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... the home network is no longer secure. 

The basis of all secure remote access is user identification . 
Host systems must be able to identify a user and verify their 
identification before the user is able to gain access to the network 
information. Although many users believe that pass-words alone provide 
adequate remote access security, truly. . . 

...technologies such as combined encryption with access control mechanisms. 
Another new technology called two-factor user authentication is a 
process that identifies all users and assures that only authorized 
users gain access to network resources . 

Security concerns will become even more of an issue as the number of 
remotely. . . 
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TEXT: 

...the strong authentication of P0P3 and SMTP email protocols. It employs 
LDAP directories and Radius identification servers to manage 
authenticated usersO . Finally, M>Wall 4 includes a 168-bit triple-DES 
strong encryption module for which. . . 

...up to the application level, for every communication. * Authentication: 
the M>Wall Card module enables user identification with a smart card. * 
Encryption — scrambling of information and data : ensures the 
confidentiality and integrity of... 

...Key, Defender, Digipass or Vasco. M>Wall is also compatible with LDAP 
and RADIUS type user authentication databases. Smartcard solution 
simplifies user identification M>WallCard is the smartcard module of 
the M>Wall 4.0 firewall that ensures strong authentication . It enables 
users in a company to access information on their intranet or on the 
Extranet using a personal smartcard containing their user ID . 
Smartcard authentication provides a very deep level of security and 
integrity in a convenient, standard and customizable. . . 

...s extensive expertise and experience, M>Tunnel was developed in complete 
accordance with the IPSEC Internet security protocol. It uses 5 6 to 
168-bit keys (DES, Triple DES) to provide strong cryptographic capability. 
In October. . . 
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... the user is prompted for a password or other ID. The switch's 

integrated Radius client then authenticates the user with information 
stored in the Radius server. 

After the server identifies the user , the switch places the PC 
into the authorized subnet or zone. The switch also gathers... 
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... Issuing RASDIAL servername will initiate the calling sequence. Once 

connected, the E^S server validates the UserlD and password, and checks 
to see if the user is authorized to access the network via async. 
If a callback mode is specified, the server will drop the carrier and. . . 

...user's station, whereas RASDIAL will answer the phone and prompt for 
validation information. The UserlD used to connect does not have to be 
the same as the login ID . All RAS servers in the same domain share a 
common user database, so maintaining multiple servers is as painless 
as it is in the regular NETADMIN utility. 
Once the connection is... 
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Building wireless apps just got easier 

The best tool for giving mobile workers wireless access to a vertical 
market application is iConverse's Mobile Studio and Interaction 

Server , 

Byline: BARRY NANCE, NETWORK WORLD GLOBAL TEST ALLIANCE 
Journal: Network World Page Number: 58 

Publication Date: June 25, 2001 
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Text : 

... applications. Mobile Application Server is like having IBM's WebSphere 
or BEA Systems' WebLogic application server already set up to deliver 
application data to mobile devices. M-1 Mobile Application Server's 
components. . . 

. . . For each wireless message an application wants to transmit to a mobile 
user, iConverse Interaction Server identifies the user 's specific 
device, renders the appropriate response and then dynamically serves the 
content in a. . . 

representation of wireless content into device-specific markup 
language. Out of necessity, Air2Web's Mobile Internet Platform uses a 
Web -based architecture. Air2Web doesn't distribute its software on 
CD-ROMs; rather, developers connect to... 

. . . response according to the device characteristics of the wireless device 
involved in the session. Mobile Internet Platform uses XML messages to 
register an application and its objects (which might include style sheets, 
audio files and predetermined XML messages), register the wireless 
application dialogs that you design, identify wireless users and their 
devices, and carry on dialogs with wireless devices. On one hand, you use... 
device confirmations. The other Web interfaces store audio files, dialog 
elements, style sheets, lists of authorized wireless users and XML 
files. With AnyDevice's GoAnywhere Platform, your application uses the 
vendor * s device . . - 



AnyDevice environment . If the application design calls for the use of a 



relational database for user authentication , AnyDevice requires that it 
be Oracle Version 8.1.6 or... release a version of Echo that works on 
non-Windows computers. Within MMC, an administrator uses a Web site's 
or virtual directory's Mobility tab on its property sheet to enable or... 
... to keep wireless dialogs authentic, private and unmodified in 
transit. For security, Air2Web's Mobile Internet Platform uses digital 
certificates, which you identify when you use Air2Web's DevCenter to create 
a new, , . 

...on. Aligo's M-1 Mobile Application Server uses the Lightweight Directory 
Access Protocol for user authentication and PKI for data privacy. 

AnyDevice 's GoAnywhere Platform employs an Oracle database for user 

authentication and the Oracle Obfuscation Toolkit to encrypt passwords 
traveling across a network .The iConverse Interaction Server relies on 
SSL and incorporates WTLS to keep data confidential. MobileQ says XMLEdge 
can encrypt. . . 

... development and run-time platforms. For wireless application 
development, any computer with a browser for accessing the company's Web 
site and a text editor for creating XML will suffice. Mobile Internet 
Platform works with. . . 
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Text : 

... 000 users of your WAN. Without a directory service, this requires 
adding all 3,000 user IDs to the new file server. With StreetTalk or 
Novell, Inc.'s NetWare Directory Services, you... 

... the directory tree rather than specific file servers. Not having to add 
those 3,000 user IDs saves lots of time and, hence, money. Here's what 
to look for in a. . . 

... contain more items, in the form of an inverted tree. File server 
independence - Users should log on to the network rather than to a 
specific file server. Users then only need to know the name of a service or 
their complete user ID to log on from any location on the network. This 
allows services to move from. . . 

, . . Third-party vendors should be able to use directory services to store 
things such as host logon IDs , program configuration information and 
other system-specific information. Integrated services and security - 
Services such as... 

. . . printing, among others, should take advantage of the directory services 
to provide things such as user IDs and addresses. Network services 
should be tied into a single logon so that different services use one logon 
to validate the user . User access to the different network 
services should be controlled by information contained in the directory 
service. X.500 - For those... 
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Text : 

...Notes databases. During installation, IDs are established for the Notes 
Administrator and for the new server . 

The certifier ID , in essence, stamps both the user ID and the 
server ID . This unique stamp, or certificate, is the validation 

mechanism that permits client -server and server-server communication. 
Notes provides two different certification schemes, canonical and 
hierarchical. In. . . 
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RF IDeas Inc (645877) 

2 90 Lexington Dr 

Buffalo Grove, IL 60089 United States 
TELEPHONE: (847) 870-1723 

TOLL FREE TELEPHONE NUMBER: (866) 439-4884 

FAX: (847) 483-1129 

HOMEPAGE: http://www.RFIDeas.com 

RECORD TYPE: Directory 

CONTACT: Sales Department 

ORGANIZATION TYPE: Corporation 

STATUS: Active 

RF IDeas Incorporated, based in Buffalo Grove, Illinois, develops radio 
frequency identification (RFID) systems. The company is known for its AIR 
ID proximity systems, developed in 1996 and launched commercially in 1998. 
Its AIR ID-HID badge product, introduced in 1999, offers long-range and 
short-range access features. Also in 1999, the company first offered 
customers its server -based AIR ID Enterprise Management Software 
product. The firm has developed a Motorola/Indala proximity reader and the 



Common Logon- User Identified , or CLUI (TM) , desktop application sharing 
product. Its pcProxM readers include USB support features. In 2003, the 
firm announced the RFID1356i, an iCLASS compatible read/right desktop 
reader and SDK. RF IDeas has formed strategic alliances with Microsoft (R) , 
Novell, HID, Computer Associates, and other companies. 

SALES : NA 

REVISION DATE: 20030728 
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TITLE: Authorization Management Tools Emerge 

AUTHOR: Radcliff, Deborah 

SOURCE: Computerworld, v34 n37 p72(3) Sep 11, 2000 
ISSN: 0010-4841 

HOMEPAGE : http: //www. computer wo rid. com 

RECORD TYPE: Review 

REVIEW TYPE: Product Analysis 
GRADE: Product Analysis, No Rating 

Netegrity's SiteMinder, Entrust Technologies* GetAccess, Securant 
Technologies' ClearTrust SecureControl 4.2 are new products designed to 
automate creation and enforcement of user access-level controls for Web- 
enabled applications. GetAccess is an authorization management system with 
which users navigate to the Access Server's login screen to access secure 
resources. Functions supported include user verification, retrieval of 
profile information, cookie location and transport, cookie encryption, 
interception of requests and cookie decryption, and session verification 
through the Registry Server. It also supports transport by the registry 
server of user ID , preferences, roles, and application-specific data 
to the application on the Web server in order to deliver information to the 
user. A Mobile Proxy Server manages sessions for cookie-free computers, 
such as wireless devices. SiteMinder, which integrates with popular 
existing directories and databases, allows users to request protected 
resources from the Web server. A Web agent retrieves user credentials from 
the browser and sends them to the SiteMinder policy server, which then 
authenticates the user. The policy server sends information to the 
application, which personalizes content according to the specific users* 
privileges. ClearTrust Secure Control 4.2 simplifies integration by 
separating content and applications on separate Web servers. A Clear-Trust 
plug-in enforces access control for resources. 

REVISION DATE: 20020830 
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TITLE: Watching the Gate 

AUTHOR: Chernicoff, David Moran, Joseph 

SOURCE: Windows Sources, v6 n2 pl21(5) Feb 1998 

ISSN: 1065-9641 

HOMEPAGE: http: //www. winsources . com 

RECORD TYPE: Review 

REVIEW TYPE: Product Analysis 

GRADE: Product Analysis, No Rating 

Microsoft Proxy Server offers content caching and firewall features, 
offering an alternative to a traditional firewall. With a proxy server, 
instead of giving network clients direct Internet access, all actions are 
routed through a single point. From that one point of control, it is 
possible to see where all users are going on the Internet, limit which 
types of sites they can visit, and set rules for how users can transfer 
files. Microsoft Proxy Server 2.0 is a significantly less expensive 
solution than a traditional firewall. It offers dynamic packet filtering, 
which gives the administrator much more control over packets than any other 
proxy server. However, it still does not bring as much packet control as is 
possible with a firewall. The proxy server is transparent to the end-user. 
When an outside Web server attempts to identify a client connection, 
it gets the proxy server 's ID . Since the proxy server is the only 
system that actually communicates over the Internet, it is the only one 
that has to run TCP/IP. Clients can run TCP/IP if desired, but they can 
also run a different network protocol, such as IPX/SPX. It includes a 
content caching server, which caches the content of user requests from the 
Internet to a local cache. Proxy Server can be run from any machine with 
Windows NT Server 4.0, Service Pack 3, and IIS 3.0. 

REVISION DATE: 20020630 
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TITLE: Database Security 

AUTHOR: Rennhackkamp, Martin 

SOURCE: DBMS, vlO n2 p67(5) Feb 1997 

ISSN: 1041-5173 

HOMEPAGE : ht tp : / /www . dbmsmag . com 

RECORD TYPE: Review 

REVIEW TYPE: Product Analysis 

GRADE: Product Analysis, No Rating 

IBM's DB2 2.1.1, Informix Software's Inf ormix-OnLine Dynamic Server 7.12, 
Microsoft's Microsoft SQL Server, Oracle's Oracle 7 7.3, and Sybase's 
Sybase SQL Server 11 are compared for their security controls. DB2 2.1.1 
has three levels of security checks for viewing or maneuvering stored data; 
they include system entry, database connection, and database object usage. 



Users must be identified by a user name and password, and privileges 
are granted with the GRANT statement. Privileges can be granted to 
individuals, groups, or PUBLIC (all users) . Inf ormix-OnLine Dynamic Server 
7.12 also uses privileges to grant permission for accesS/ altering, or 
removal of database objects or the content of database objects. Privileges 
are granted with the GRANT statement and removed with the REVOKE statement. 
Connect, resource, and database administration levels are supported. Roles 
can be used to grant privileges of many users concurrently. 
Informix-OnLine/Secure Dynamic Server is a licensed component for secure 
UNIX and CMW platforms, supporting required access controls, systemwide 
discrete privileges, labeled data, and an audit trail method. Microsoft SQL 

Server identifies users via an administrator-created login ID or one 
assigned automatically from existing registered Windows NT users. Oracle 7 
7.3 has a list of valid users with unique user names and passwords, and SQL 
Server 11 users are also identified by unique IDs with passwords. 

REVISION DATE: 20030428 
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AUTHOR: Karon, Paul 
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HOMEPAGE : http : / /www . inf oworld . com 

RECORD TYPE: Review 

REVIEW TYPE: Product Analysis 

GRADE: Product Analysis, No Rating 

A chain of retail vitamin and supplement stores enjoys tremendous growth, 
although maintaining the LAN for the chain *s 2,500 stores proved to be a 
complex matter. Administrators turned to Novell's Novell Directory Services 
(NDS) along with Novell's Groupwise groupware to maintain its rapidly 
growing LAN. Through NDS, the company has been able to unify their NetWare 
directories as well as GroupWise directories, providing major time savings 
for support staff and delivering extended functionality to all end-users. 
From the end user's point of view, the convenience of single logons and 
other features make NDS a beneficial application. Before deploying NetWare 
4.1, employees had to have different user IDs for each server . With 
NetWare 4.1, the IS group was able to create a group object that 
automatically gave staff members access rights to as many servers as are in 
the entire WAN environment. 
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TITLE: Needle Hunting 

AUTHOR: Korzeniowski, Paul 

SOURCE: Byte, v20 nil p51(3) Nov 1995 

ISSN: 0360-5280 

HOMEPAGE: http: //www. byte . com 

RECORD TYPE: Review 

REVIEW TYPE: Product Analysis 

GRADE: Product Analysis, No Rating 

The key to effective network management is a good directory system that can 

identify users , servers , and other resources. Novell's NetWare 
network operating system now includes NetWare Directory Service (NDS), a 
service similar to Banyan Systems* VINES feature, StreetTalk. NetWare 
previously supported only basic directory services with the bindery, which 
stored addressing information on one standalone server. StreetTalk 
automatically transmits changes to multiple servers. Microsoft is also 
planning to offer global capabilities in the next release of Windows NT. 
Lotus Development offers sophisticated directory services with its cc:Mail 
product. cc:Mail includes the Automatic Directory Exchange feature, which 
automatically updates all cc:Mail user addresses. Sun Microsystems' Network 
Information Services Plus directory service, which is bundled with several 
UNIX operating systems, uses a treelike hierarchical directory structure. 
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RECORD TYPE: Review 
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GRADE: Product Analysis, No Rating 

Kane Security Analyst 2.0 for UNIX, Windows NT, and NetWare supports 
security assessment software for the enterprise. The product, a graphical 
software tool, looks at networks and creates reports about security, 
including data integrity, confidentiality, user access control, system 
monitoring, and account limitations. The product also supports NetWare 
Directory Services (NDS) , which enables security analysis by looking at the 
full network directory tree and all NDS objects. One user, a large 
manufacturing company, welcomes heterogeneous support via a single, unified 
interface for all systems. The product evaluates user and group IDs , 
servers , and containers, as well as NDS objects, for exposure to hackers 



and inappropriate security privileges, 
REVISION DATE: 20020630 
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Abstract (Basic): US 20030084170 Al 

NOVELTY - A user identifier including an identification server 
ID and an identification randomized ID is obtained. The user 
identifier is provided to an identification server peer group 
identified using the server ID for authorizing user (700) by 
comparing randomized ID's respectively included in the user identifier 
and maintained in the server peer group that also stores associated 
user information. 

DETAILED DESCRIPTION - INDEPENDENT CLAIMS are also included for the 
following: 

(1) program storage device storing user identification program; and 

(2) user identification apparatus. 

USE - For user identification in data communication network e.g. 
LAN, WAN, internet, cable television network, telephone network, 
wireless telecommunication network, fiber optic network, ATM network, 
satellite communication network for service provision. 

ADVANTAGE - Performs efficient user authentication using received 
and stored data on open network without revealing unnecessary 
information while maintaining privacy. 

DESCRIPTION OF DRAWING (S) - The figure shows the flow diagram 
illustrating the conduction of secure transactions using user 
identification. 
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GESTION DE L ' IDENTIFICATION DANS UN RESEAU DE COMMUNICATION DE DONNEES 
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Main International Patent Class: H04L-029/00 

Publication Language: English 

Filing Language: English 

Fulltext Availability: 
Detailed Description 
Claims 

Fulltext Word Count: 21577 
English Abstract 

A method for obtaining a service on a data communications network, the 
method includes enrolling with an authority and using the enrollment 
results to obtain a service from a service provider. The enrolling 
creates enrollment results that include user data. The service provider 
is capable of communicating with the authority to verify the enrollment 
results . 

French Abstract 

L* invention concerne un precede permettant d'obtenir un service dans un 
reseau de communication de donnees. Ce precede consiste a proceder a une 
inscription aupres d'une autorite et a utiliser les resultats de 
1 ' inscription pour obtenir un service aupres d*un fournisseur de service. 
Cette inscription genere des resultats d' inscription qui comprennent des 
donnees utilisateur. Le fournisseur de services peut communiquer avec 
1* autorite afin de verifier les resultats de 1 * inscription. 

Legal Status (Type, Date, Text) 

Publication 20030508 A2 Without international search report and to be 

republished upon receipt of that report. 
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Fulltext Availability: 
Detailed Description 
Claims 

Fulltext Word Count: 21679 
English Abstract 

A method for enhanced privacy protection in identification in a data 
communications network includes enrolling for a service on the data 
communications network, receiving a randomized identifier (ID) in 
response to the enrolling, storing the randomized ID and using the 
randomized ID to obtain services on the data communications network. An 
apparatus for obtaining a service on a data communications network 
includes an enrollment authority configured to accept an enrollment 
request. The enrollment authority is further configured to return 
enrollment results in response to the enrollment request. The enrollment 
results include user data and the enrollment results may be used 
obtaining a service from a service provider. 

French Abstract 

L* invention concerne un precede permettant de renforcer la protection de 
la conf identialite lors de 1 * identification dans un reseau de 
transmission de donnees . Ce precede consiste a s'inscrire a un service 
sur le reseau de transmission de donnees; a recevoir un identifiant 
aleatoire (ID) en reponse a 1 ' inscription; a stocker 1 ' identifiant 
aleatoire, puis a I'utiliser pour obtenir des services sur le reseau de 
transmission de donnees. L* invention concerne egalement un dispositif 
permettant d' obtenir un service sur un reseau de transmission de donnees; 
lequel dispositif comprend une autorite d* inscription configuree pour 
accepter une demande d' inscription et pour renvoyer les resultats de 
1 * inscription en reponse a la demande d' inscription . Les resultats 
d' inscription contiennent les donnees utilisateur; ces resultats 
d* inscription peuvent etre utilises pour obtenir un service chez un 
prestataire de services. 

Legal Status (Type, Date, Text) 

Publication 20030508 A2 Without international search report and to be 

republished upon receipt of that report. 
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English Abstract 

A method for enhanced quality of identification in a data communications 
network includes obtaining a user identifier that includes an 
identification server ID and an identification randomized ID . 
The identification server ID identifies an identification 
server peer group. The identification server peer group includes at 
least one server that maintains a mapping between an identification 
randomized ID and a user authentication peer group capable of 
authenticating a user associated with a particular randomized ID, and a 
mapping between the identification randomized ID and user information. 
The method also includes requesting authorization of the user by 
presenting the user identifier to a corresponding identification 
server peer group. Each server in the identification server peer 
group is configured to search for one or more matching entries including 
the randomized ID. 

French Abstract 

L* invention porte sur un precede ameliorant la qualite d' identification 
dans un reseau de transmission de donnees consistant a obtenir un 
identif icateur d' utilisateur comprenant un ID d' identification de serveur 
et un ID d' identif ication pris au hasard. L*ID d' identif ication de 
serveur identifie un groupe de serveurs prestataires de services 
comportant au moins un serveur contenant: une correspondance entre I'lD 
d' identif ication pris au hasard et un groupe pair d* identif ication de 
1 'utilisateur pouvant authentifier un utilisateur associe a un ID 
d' identif ication pris au hasard particulier, et une correspondance entre 
I'lD d* identif ication pris au hasard et une information utilisateur. Le 
precede consiste egalement a requerir 1 ' autorisation de 1 ' utilisateur en 
presentant 1 ' identif icateur d' utilisateur a un groupe de serveurs pairs 
d* identif ication correspondant . Chacun des serveurs dudit groupe est 
concu pour rechercher une ou plusieurs occurrences correspondantes dont 
I'lD pris au hasard. 
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English Abstract 

A method for controlling user access to distributed resources on a data 
communications network includes receiving a resource request. The request 
includes a rights key credential that includes at least one key to 
provide access to a resource on the data communications network. The 
rights key credential also includes a resource identifier that includes a 
resource server peer group ID and a randomized ID . The resource 
server peer group ID identifies a resource server peer group. The 
resource server peer group includes at least one server that maintains a 
mapping between a randomized ID and the at least one key. The method also 
includes providing access to the resource using the at least one key. 

French Abstract 

L' invention concerne un precede permettant de controler I'acces 



utilisateur a des ressources reparties sur un reseau de transmission de 
donnees, lequel precede consiste a recevoir una demande de ressources. 
Cette demande comprend une justification d'identite a cles pour des 
droits, laquelle contient au moins une cle permettant d'acceder a une 
ressource sur le reseau de transmission de donnees. La justification 
d'identite contient egalement un identifiant ressources comprenant une 
identification de groupe d'homologues serveurs de ressources et une 
identification aleatoire. L ' identification de groupe d'homologues 
identifie un groupe d'homologues serveurs de ressources, lequel groupe 
comprend au moins un serveur conservant une application entre une 
identification aleatoire et ladite cle. Le precede decrit dans cette 
invention consiste egalement a fournir un acces a des ressources a I'aide 
de la cle susmentionnee. 
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English Abstract 

A method for managing identification in a data communications network 
includes receiving a user-controlled secure storage device and enrolling 
the user with an authority network site. The enrolling includes providing 



information requested by the authority network site. The method also 
includes receiving user data in response to the enrolling, storing the 
user data in the user-controlled secure storage device, enabling the 
user-controlled secure storage device to release the user data and using 
the user data at a service provider network site to obtain a service. 

French Abstract 

Cette invention concerne un precede de gestion de 1 ' identification dans 
un reseau de communication de donnees, qui consiste a recevoir un 
dispositif de stockage securise controle par 1 ' utilisateur et a inscrire 
I'utilisateur aupres d'un site reseau d'autorisation. L* inscription 
equivaut a fournir des informations demandees par le site reseau 
d' autorisation . Le precede consiste egalement a recevoir des donnees 
utilisateur en reponse a 1 ' inscription, a stocker ces donnees utilisateur 
dans un dispositif de stockage securise controle par 1 * utilisateur, a 
autoriser ce dispositif a divulguer les donnees utilisateur et a utiliser 
ces donnees dans un site reseau de fourniture de services en vue de 
I'obtention d*un service. 
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English Abstract 

A method for browsing a data communications network includes requesting 
user data from a user-controlled secure device if a network site that 
. requires the user data is accessed. The request is performed prior to 
requesting the user data from another device. The method also includes 
sending the user data to a network server associated with the network 
site if the user data is received from the user-controlled secure device. 
According to another aspect, a method for servicing data communications 
network information units includes receiving user data associated with a 
network site, using the user data if the user data includes static user 
data and reconstructing the user data before using the user data if the 
user data includes dynamic user data. 

French Abstract 

L' invention concerne un precede d* exploration d*un reseau de 
communication de donnees, consistant a demander des donnees d' utilisateur 
a un dispositif securise commande par 1 ' utilisateur si un site du reseau 
exigeant les donnees de 1 ' utilisateur est contacte. La demande est 
executee avant de demander les donnees d' utilisateur a un autre 
dispositif. Le precede consiste egalement a envoyer les donnees 
d* utilisateur a un serveur de reseau associe au site du reseau si les 
donnees d' utilisateur sont recues du dispositif securise commande par 
1 * utilisateur . Dans un autre aspect, 1* invention concerne un precede 
visant a desservir des unites d* information du reseau de communication de 
donnees, consistant a recevoir des donnees d' utilisateur associees a un 
site du reseau, a utiliser les donnees d* utilisateur si les donnees 
d' utilisateur comprennent des donnees d' utilisateur statiques, et a 
reconstruire les donnees d' utilisateur avant d' utiliser les donnees 
d' utilisateur si les donnees d' utilisateur comprennent des donnees 
d' utilisateur dynamiques. 
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